Bug or Feature? Firewall LCOS 8.80 RC2 vs. 8.62 auf 1823

crowstone · Beitrag von **crowstone** » 15 Jan 2013, 12:15

Hallo,

seitdem ich meinen 1823 testweise auf die Firmware 8.80 RC2 upgedated habe bekomme ich alle paar Sekunden Firewall IDS Hinweise.
Es sieht so aus als wären das DHCP Verhandlungen zwischen meinem Kabelmodem und -betreiber (Unitymedia):
--->

Code: Alles auswählen

[Firewall] 2013/01/15 11:26:03,604  Devicetime: 2013/01/15 11:25:49,977
Packet matched rule intruder detection
DstIP: 255.255.255.255, SrcIP: 10.145.0.1, Len: 307, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 68, SrcPort: 67

Filter info: packet received from invalid interface INTERNET
packet dropped

[Firewall] 2013/01/15 11:26:03,604  Devicetime: 2013/01/15 11:25:50,008
Packet matched rule intruder detection
DstIP: 255.255.255.255, SrcIP: 10.145.0.1, Len: 307, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 68, SrcPort: 67

Filter info: packet received from invalid interface INTERNET
packet dropped


[Firewall] 2013/01/15 11:26:32,903  Devicetime: 2013/01/15 11:26:31,263
Packet matched rule DEFAULT (ACCEPT-ALL)
DstIP: 10.2.1.1, SrcIP: 10.1.1.6, Len: 827, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 161, SrcPort: 52694

[Firewall] 2013/01/15 11:26:33,950  Devicetime: 2013/01/15 11:26:32,308
Packet matched rule intruder detection
DstIP: 255.255.255.255, SrcIP: 10.145.0.1, Len: 309, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 68, SrcPort: 67

Filter info: packet received from invalid interface INTERNET
packet dropped

[Firewall] 2013/01/15 11:26:34,006  Devicetime: 2013/01/15 11:26:32,379
Packet matched rule intruder detection
DstIP: 255.255.255.255, SrcIP: 10.145.0.1, Len: 309, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 68, SrcPort: 67

Filter info: packet received from invalid interface INTERNET
packet dropped

[Firewall] 2013/01/15 11:26:37,185  Devicetime: 2013/01/15 11:26:35,555
Packet matched rule intruder detection
DstIP: 255.255.255.255, SrcIP: 10.145.0.1, Len: 307, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 68, SrcPort: 67

Filter info: packet received from invalid interface INTERNET
packet dropped

[Firewall] 2013/01/15 11:26:37,539  Devicetime: 2013/01/15 11:26:35,909
Packet matched rule intruder detection
DstIP: 255.255.255.255, SrcIP: 10.145.0.1, Len: 307, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 68, SrcPort: 67

Filter info: packet received from invalid interface INTERNET
packet dropped

<---

Zurück auf Firmware 8.62 scheint das so auszusehen:
--->

Code: Alles auswählen

[DHCP] 2013/01/15 11:18:44,146  Devicetime: 2013/01/15 11:18:42,828
DHCP Rx (WAN, INTERNET): 
DHCP Server Message (reply) from 10.145.0.1: DHCPACK (Server is relay-agent)
  Op    = 02       | HType = 01   | HLen  = 06   | Hops  = 00
  XId   = ED3D3E15 | Secs  = 0000 | Flags = 8000
  CIAdr =          0.0.0.0 | YIAdr =   95.223.135.142
  SIAdr =          0.0.0.0 | GIAdr =       10.145.0.1
  CHAdr = 00 16 76 d7 6e 2e 00 00 00 00 00 00 00 00 00 00

 => forwarded to internal DHCP-Client

[DHCP] 2013/01/15 11:18:44,146  Devicetime: 2013/01/15 11:18:42,832
DHCP Rx (WAN, INTERNET): 
DHCP Server Message (reply) from 10.145.0.1: DHCPACK (Server is relay-agent)
  Op    = 02       | HType = 01   | HLen  = 06   | Hops  = 00
  XId   = DE556846 | Secs  = 0000 | Flags = 8000
  CIAdr =          0.0.0.0 | YIAdr =   95.223.135.142
  SIAdr =          0.0.0.0 | GIAdr =       10.145.0.1
  CHAdr = 00 16 76 d7 6e 2e 00 00 00 00 00 00 00 00 00 00

 => forwarded to internal DHCP-Client


[DHCP] 2013/01/15 11:20:10,145  Devicetime: 2013/01/15 11:20:08,831
DHCP Rx (WAN, INTERNET): 
DHCP Server Message (reply) from 10.145.0.1: DHCPOFFER (Server is relay-agent)
  Op    = 02       | HType = 01   | HLen  = 06   | Hops  = 00
  XId   = DB04E90B | Secs  = 0000 | Flags = 8000
  CIAdr =          0.0.0.0 | YIAdr =   109.91.229.117
  SIAdr =          0.0.0.0 | GIAdr =       10.145.0.1
  CHAdr = 5c d9 98 21 43 11 00 00 00 00 00 00 00 00 00 00

 => forwarded to internal DHCP-Client

[DHCP] 2013/01/15 11:20:10,145  Devicetime: 2013/01/15 11:20:08,866
DHCP Rx (WAN, INTERNET): 
DHCP Server Message (reply) from 10.145.0.1: DHCPACK (Server is relay-agent)
  Op    = 02       | HType = 01   | HLen  = 06   | Hops  = 00
  XId   = DB04E90B | Secs  = 0000 | Flags = 8000
  CIAdr =          0.0.0.0 | YIAdr =   109.91.229.117
  SIAdr =          0.0.0.0 | GIAdr =       10.145.0.1
  CHAdr = 5c d9 98 21 43 11 00 00 00 00 00 00 00 00 00 00

 => forwarded to internal DHCP-Client


[DHCP] 2013/01/15 11:20:21,355  Devicetime: 2013/01/15 11:20:20,039
DHCP Rx (WAN, INTERNET): 
DHCP Server Message (reply) from 10.145.0.1: DHCPOFFER (Server is relay-agent)
  Op    = 02       | HType = 01   | HLen  = 06   | Hops  = 00
  XId   = F9BCA738 | Secs  = 0000 | Flags = 8000
  CIAdr =          0.0.0.0 | YIAdr =    88.153.240.39
  SIAdr =          0.0.0.0 | GIAdr =       10.145.0.1
  CHAdr = e8 9a 8f ea 4f 48 00 00 00 00 00 00 00 00 00 00

 => forwarded to internal DHCP-Client

[DHCP] 2013/01/15 11:20:21,405  Devicetime: 2013/01/15 11:20:20,100
DHCP Rx (WAN, INTERNET): 
DHCP Server Message (reply) from 10.145.0.1: DHCPACK (Server is relay-agent)
  Op    = 02       | HType = 01   | HLen  = 06   | Hops  = 00
  XId   = F9BCA738 | Secs  = 0000 | Flags = 8000
  CIAdr =          0.0.0.0 | YIAdr =    88.153.240.39
  SIAdr =          0.0.0.0 | GIAdr =       10.145.0.1
  CHAdr = e8 9a 8f ea 4f 48 00 00 00 00 00 00 00 00 00 00

 => forwarded to internal DHCP-Client


[DHCP] 2013/01/15 11:20:28,009  Devicetime: 2013/01/15 11:20:26,695
DHCP Rx (WAN, INTERNET): 
DHCP Server Message (reply) from 10.145.0.1: DHCPACK (Server is relay-agent)
  Op    = 02       | HType = 01   | HLen  = 06   | Hops  = 00
  XId   = 0B21B6DF | Secs  = 0000 | Flags = 8000
  CIAdr =          0.0.0.0 | YIAdr =  176.199.127.101
  SIAdr =          0.0.0.0 | GIAdr =       10.145.0.1
  CHAdr = 20 cf 30 d9 5e ca 00 00 00 00 00 00 00 00 00 00

 => forwarded to internal DHCP-Client


[DHCP] 2013/01/15 11:20:57,050  Devicetime: 2013/01/15 11:20:55,736
DHCP Rx (WAN, INTERNET): 
DHCP Server Message (reply) from 10.145.0.1: DHCPOFFER (Server is relay-agent)
  Op    = 02       | HType = 01   | HLen  = 06   | Hops  = 00
  XId   = 83174FF1 | Secs  = 0000 | Flags = 8000
  CIAdr =          0.0.0.0 | YIAdr =   176.199.125.91
  SIAdr =          0.0.0.0 | GIAdr =       10.145.0.1
  CHAdr = 00 1d 92 7c 21 6a 00 00 00 00 00 00 00 00 00 00

 => forwarded to internal DHCP-Client

[DHCP] 2013/01/15 11:20:57,729  Devicetime: 2013/01/15 11:20:56,403
DHCP Rx (WAN, INTERNET): 
DHCP Server Message (reply) from 10.145.0.1: DHCPACK (Server is relay-agent)
  Op    = 02       | HType = 01   | HLen  = 06   | Hops  = 00
  XId   = 83174FF1 | Secs  = 0000 | Flags = 8000
  CIAdr =          0.0.0.0 | YIAdr =   176.199.125.91
  SIAdr =          0.0.0.0 | GIAdr =       10.145.0.1
  CHAdr = 00 1d 92 7c 21 6a 00 00 00 00 00 00 00 00 00 00

 => forwarded to internal DHCP-Client

<---

Falls das wirklich die gleichen Pakete sind:
Ist das ein Fehler in der Konfiguration?
Auf dem Router laufen 2 Netze, Intranet 10.1.1.0 und Gast 10.1.2.0.
Die Firewall steht grundsätzlich auf ALLOW-ALL und hat neben der Standard WINS Sperre eine DENY-ALL für's Gastnetz mit erlaubter Port- und Bandbreiten Regel für dieses.

Danke schon mal,
matthias

crowstone · Beitrag von **crowstone** » 15 Jan 2013, 13:30

Hallo schon wieder,

ob das jetzt alles so richtig ist kann ich nicht sagen, ABER:
Ich habe jetzt einfach mal die diversen Unitymedia Netze in die Routing Tabelle gesetzt, jetzt kommen wieder die 'alten' DHCP Meldungen.

Genauer:
In der Routingtabelle stehen bei mir die standardmäßig geblockten Routen für die privaten ABC Netze.
Unitymedia benutzt aber als Modem IP 192.168.100.1 und vom Modem zu deren Routern ein 10.145.x.y Netz. die beiden habe ich in die Routingtabelle aufgenommen.
Warum das aber mit der 8.62 auch anders ging weiß ich immer noch nicht.

VG,
matthias