Re: [m0n0wall] Version 1.1: Firewall Logging -- Entries Not In Subnet

From:	Chris Buechler <cbuechler at gmail dot com>
To:	Greg Sims <greg at headingup dot net>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Version 1.1: Firewall Logging -- Entries Not In Subnet
Date:	Fri, 18 Mar 2005 11:56:06 -0500

On Fri, 18 Mar 2005 08:15:52 -0800, Greg Sims <greg at headingup dot net> wrote:
> Hi All,
> 
> I'm reading through the Firewall Logs of a new installation to make sure it
> is stable.  I found something interesting that I was not expecting and
> thought I would share it with the community.
> 
> The 4801-50 based router is configured with LAN on 10.0.0.1/24, OPT1 on
> 10.0.1.1/24 and WAN on a public IP.  Here's a typical Firewall Log Entry:
> 
>         If: LAN
>         Source: 192.168.0.1, port 1900
>         Dest: 239.355.355.350, port 1900
>         Proto: UDP
> 
> I wonder why the LAN interface is seeing address 192.168.0.1 as it is not
> part of the LAN subnet.
> 

Because the traffic is being sent to a multicast IP.  m0n0wall will
also drop and log broadcasts, even if they aren't on the same subnet
as the LAN.


> The next entry in the log is very close in time and contains the same
> information but the interface is OPT1:
> 
>         If: OPT1
>         Source: 192.168.0.1, port 1900
>         Dest: 239.355.355.350, port 1900
>         Proto: UDP
> 

UDP 1900 and dst 239.255.255.250 (assuming a typo on the 3's) is MSN
messenger broadcasts. 
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/RegistryTips/Network/DisableWindowsMessengerbroadcastsonUDPport1900.html

-Chris