[Techtalk] tcpdump and iptables
Maria Blackmore
mariab at cats.meow.at
Sun Jun 22 03:28:30 EST 2003
On Sat, 21 Jun 2003, Subba Rao wrote:
> I am using iptables on my system. It is very basic setup that denies
> all outside connections. When an outside connection is attempted, the
> packet is dropped and logged into the syslog. When I run tcpdump on
> the same interface, I do see a lot of ARP requests and bootps/bootpc
> (UDP) requests. Why are these attempts not logged into syslog?
Hi
both ARP and bootp are broadcast protocols, requesting information from
whomever hears them and is able/setup to answer.
ARP is the Address Resolution Protocol, it's not logged because that would
fill up your syslog incredibly quickly with completely useless
information. It's used to determine the hardware address that is handling
a requested IP address, and can occur several hundred times a second on
significantly busy network segments. It's described by RFC826.
bootp is used by workstations that are just starting up in order to
determine their IP address, and optionally to start loading their
operating system, Once again, it's not logged because this would be rather
pointless. It's a broadcast protocol because the machine making the bootp
request doesn't know anything about where to send it to, so sends it
everywhere. It's described by RFC951.
You will never see iptables blocking ARP because it is
an ethernet based protocol, and the first stage of bootp (address
determination) is a UDP broadcast on the local wire only, so you'll never
see it unless you're listening for it (which tcpdump does) or if you have
iptables setup to block low numbered UDP ports (which you may or may not).
Niether of these are anything to worry about, and I strongly suggest that
you do not attempt to get rid of ARP, since then your network will become
a notwork.
Maria
More information about the Techtalk
mailing list