firewall log port 67 and 68

Wondering if this is just the dhcp request and if so should that be showing up on the firewall log? I am behind a router so could this be an intrusion that got through the router firewall?


Jul  9 22:02:43 linux-r6cy kernel: [43238.932373] SFW2-INext-DROP-DEFLT IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.100 LEN=576 TOS=0x00 PREC=0x00 TTL=150 ID=1580 PROTO=UDP SPT=67 DPT=68 LEN=556 

Jul 10 10:02:47 linux-r6cy kernel: [86442.136633] SFW2-INext-DROP-DEFLT IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.100 LEN=576 TOS=0x00 PREC=0x00 TTL=150 ID=1871 PROTO=UDP SPT=67 DPT=68 LEN=556 

Thanks

opensuse 11.4

Ports 67, 68 are for DHCP. 192.168.1.1 is probably your router.

If DHCP is working fine, then ignore these. I see some dhcp logged by firewall, but I don’t worry about it.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Agreed. Also notice the twelve-hour (almost exactly) time between them.
Many home routers have DHCP leases for twenty-four hours, and most of the
time a client will try to renew at half that time. Either way the
regularity is likely not a coincidence and the only thing left to do to
really find out what is going on is to fire up a LAN trace before it
happens that runs until after it happens, tonight around 22:00 (10 p.m.).

sudo /usr/sbin/tcpdump -n -s 0 -w /tmp/dhcp.cap port 67 or port 68

The resulting file should be pretty interesting. It may include your
system trying to automatically refresh which would be interesting to see.
If you post the file somewhere I’ll look through it and we’ll go from
there. A secure location is ftp://ftp.novell.com/incoming/ (not able to
be browsed, btw, just uploaded to). You can open it too with something
like Wireshark (available via repos).

Good luck.


Want to yell at me in person?
Come to BrainShare 2011 in October: http://tinyurl.com/brainshare2011
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOGjNcAAoJEF+XTK08PnB5F3MP/RVITANXlAFqLP5pkEi17/CQ
bnOHsfNgn2z+rGE8iH2N3mt+GRNQt6dG+I8oUQYF6JjfNFKnNyetWPhQyanno2SY
dHc6hz0PBMwH01CUAe5VVh5nN3+dXXVdBdAd9KslObsb94bFtFLdwCfHlSPnFnDp
jOLryO2qyQZ88kdu3eGwpPdFeRR5v3VVKIYDmtmC8TnJ3l7P8T3F/KgT517trvAV
sdc0eeMnYCZglrUpm66hhTSeaowdnyojjOq63IgrhPEcHbY//6/i6LzQtxg5eKmh
8ELdtJr6uejc7RI248CFXEsj+u2AHDL0FSmZ96FuPDCaqJ2gNo3M1NYaB735ArOW
f+3Yjd9fWhbtUZHzNry5tjQ0upxpnnB0dujyPCkCtx5eMzQvS6urrWzFHiATY+Jy
9Es3qQqKimAwsZlsVAR/V7lral1LU3upytNMip23xhh2Kbq5lhE2Q/3JEqAUBOeA
Bzo4oAoGIBatSklLC3CZQ+y9fqUq+wo+D67v4P2iZHbwJsJEa60iwpjCtq4lU1qG
dlJNXX5co+lEfdxW2VTq0ULLoklEDrTmtI+huXdy7L2kbAemOCRZu5iyA2TD6jNQ
6KvjAp1DUCljyUqWajLXjVS5SnFpy8puv6Ag1nM73iCKcKJg0hlkFOcUgmiCXOJm
e3Q0fkl0Cd1plSO2YBwR
=PA+I
-----END PGP SIGNATURE-----

It’s just a log of some traffic due to your workstation renewing its DHCP lease with your router.