non-unicast packets on Wan interface (cable modem)
in [Linux Networking]
|
Prev: ospf and openvpn
Next: daytrek vigor 2820n
From: Maxwell Lol on 19 Jun 2010 07:41 Ken Sims <ng3122(a)kensims.#nospam#.net.invalid> writes: > It was not DHCP traffic. I was already DROPping that by protocol plus > port numbers. Well, there's ARP. When I run a sniffer on my openwrt router, I see a lot of ARP traffic.
From: Ken Sims on 19 Jun 2010 11:06 Hi Maxwell - On Sat, 19 Jun 2010 07:41:51 -0400, Maxwell Lol <nospam(a)com.invalid> wrote: >Ken Sims <ng3122(a)kensims.#nospam#.net.invalid> writes: > >> It was not DHCP traffic. I was already DROPping that by protocol plus >> port numbers. > >Well, there's ARP. When I run a sniffer on my openwrt router, I see a >lot of ARP traffic. I'm no expert, but ARP is not IP, and what I was seeing was IP traffic. I went back through my logs and found where it started showing up. It was LOGged (and DROPped) by my rules as "Bad Destination" traffic because it came in on a WAN interface but the destination IP addresss was 224.0.0.1, which is not my WAN IP address for that interface. Per RFC 3330, 224.0.0.0/4 is Multicast. Here's the first one LOGged: Jun 8 13:29:56 router kernel: IPTLOG_BADDEST: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:30:b8:cc:ee:50:08:00 SRC=98.187.87.65 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=36350 PROTO=2 This is June 2009. I would get around a dozen of these at the same time, from various different IP addresses. Then a pause for a minute or two and the same thing again. It's a continuous thing in my June 2009 log file until shortly after 7am the next morning (after I had checked the previous day's log and added the rule to DROP it silently). Protocol 2 is IGMP (Internet Group Management). -- Ken
From: Ken Sims on 19 Jun 2010 17:30 Hi - On Sat, 19 Jun 2010 14:16:48 -0500, ibuprofin(a)painkiller.example.tld.invalid (Moe Trin) wrote: >On Sat, 19 Jun 2010, in the Usenet newsgroup comp.os.linux.networking, in >article <51mp16pneudir5a7qr912ig0covkrh9596(a)4ax.com>, Ken Sims wrote: > >>I went back through my logs and found where it started showing up. >>It was LOGged (and DROPped) by my rules as "Bad Destination" traffic >>because it came in on a WAN interface but the destination IP addresss >>was 224.0.0.1, which is not my WAN IP address for that interface. Per >>RFC 3330, 224.0.0.0/4 is Multicast. > >As there is nothing on your systems listening to 224.0.0.1 by default, >you don't even have to bother running an IP block on this traffic. Your >router shouldn't be forwarding it anyway As previously mentioned, I LOG and DROP incoming traffic whose destination address is not my IP address because it's a sign of something being amiss. So I added the specific rule for 224.0.0.0/3 (blocking both 224.0.0.0/4 and 240.0.0.0/4) so as to DROP it without it cluttering up my log. Even though I have DROP policies on INPUT, FORWARD, and OUTPUT, they should never be used. I have explicit rules to cover everything. Rules to ACCEPT what I want and explicit rules to DROP or REJECT everything else. -- Ken
From: Maxwell Lol on 20 Jun 2010 18:48
Ken Sims <ng3122(a)kensims.#nospam#.net.invalid> writes: > Jun 8 13:29:56 router kernel: IPTLOG_BADDEST: IN=eth0 OUT= > MAC=01:00:5e:00:00:01:00:30:b8:cc:ee:50:08:00 SRC=98.187.87.65 > DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=36350 PROTO=2 Addresses in 224.x.x.x are multicast. |