What is this in my syslog and should I be concerned?

ubuntu iptables syslog

5,042

Solution 1

Those are just DHCP messages, either your server, or another is looking to configure an interface.

Solution 2

Your original question has been answered by NickW above, but in case it's helpful to you the next time something like this happens, here's a quick way to tell for yourself.

The last bit of that log line says "PROTO=UDP SPT=68 DPT=67".

This means that the packet denied by the firewall was a UDP packet, whose source port is 68, and whose destination is port 67.

You can then do: "egrep -w '67|68' /etc/services" in a terminal, and the output (at least on my Ubuntu box) shows:

bootps      67/tcp              # BOOTP server
bootps      67/udp
bootpc      68/tcp              # BOOTP client
bootpc      68/udp

You can google bootp/dhcp to learn more about the differences/similarities. Just wanted to show how you can take apart the iptables log line for yourself, for future reference.

The log line tells you other useful stuff, like the fact that the packet is coming "IN=eth0" or inbound on your eth0 interface.

PS: Question for you: what do you mean by "The private network that my server is in blocks bcast"?

5,042

orokusaki

Updated on September 18, 2022

Comments

orokusaki over 1 year
I'm seeing a lot of the following line in /var/log/syslog:
```
Jun 21 14:36:15 my-server kernel: [416219.080061] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:the-mac-address:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=10081 PROTO=UDP SPT=68 DPT=67 LEN=308 
```
This seems to happen just about every minute. Is this just my server trying to broadcast something and my own iptables denying it from happening? If so, what kind of service might do such a thing, and should I allow it? I'm running Postgres 9.2.4 on Ubuntu 12.04.2, and basically no other services aside from the basic, pre-installed packages.
orokusaki almost 11 years

Thanks. Is it safe to ignore it (i.e., is it common to have this running constantly), or is it something I should disable? The private network that my server is in blocks bcast, FWIW.
NickW almost 11 years

Well, it might be worth understanding what is looking for a DHCP server (does your server have unconfigured interfaces?), are all the machines in the network yours?
orokusaki almost 11 years

There are other machines that aren't mine, in the same network. Regarding unconfigured interfaces, I didn't create any interfaces or even do anything to the server, pertaining to networking (aside from add gratuitous rules to iptables).
orokusaki almost 11 years

Thanks, +1 - Regarding "private network", I should rather say that my "cloud" hosting provider's local network that can be accessed via all "cloud" servers.
NickW almost 11 years

It's probably other machines then..