Stop DHCP traffic from passing across interfaces

I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.
Example of setup
Company 1 connected to interface 1 has its own dhcp server
Company 2 connected to interface 2 has its own dhcp server.
Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.
Is there anyway to stop dhcp traffic from crossing interfaces
Shane

usually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.
To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:
* Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip
* Incoming packets from any address to 255.255.255.255
* Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255
where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients
An example in an ASA would similar to the following.
For blocking client:
access-list TEST extended deny udp any any eq bootpc
For blocking server:
or access-list TEST extended deny udp any any eq bootps
Hope that helps.

Similar Messages

  • Denying telnet traffic from VRF interfaces on the router

    Hi,
    We are currently trying to accomplish incomming telnet traffic from an VRF interface to be denied by the router(7613--IOS:12.2(18)SXF4). In the line vty , we have associated an access-class specifying the block should be allowed for inbound telnet connection to the router. This is working good but it also allows the incomming telnet from an VRF interface having the same block as the global table block which is configured for allowing the incomming telnet connection. We don't want to allow any telnet connection from the vrf interface , even though it matches the permit block in the access-list
    Kindly note that, we have not specified vrf-also command on the access-class.
    Please let us a way to accomplish the above requirement .
    Thanking You
    Regards
    Anantha Subramanian Natarajan

    Hi,
    Thanks for the suggestion.
    I think, I haven't made my requirement clear. We would not like applying access-list to the VRF interfaces to acheive this requirement bcos, then we may have to bind to all the VRF interfaces(I mean customer interfaces),we acting as service provider. We are looking the way by applying access-class binded to line vty ,which is common to all the telnet traffic.
    Kindly let us know,if you have some suggestions on the same
    Regards
    Anantha Subramanian Natarajan

  • Permit traffic from Inside to Outside, but not Inside to medium security interface

    Can someone just clarify the following. Assume ASA with interfaces as :
    inside (100)   (private ip range 1)
    guest (50)       (private ip range 2)  
    outside (0)      (internet)
    Example requirement is host on inside has http access to host on outside, but it shouldn’t have http access to host on guest – or any future created interfaces (with security between 1-99).
    What’s the best practice way to achieve this?

    Hi,
    The "security-level" alone is ok when you have a very simple setup.
    I would suggest creating ACLs for each interface and use them to control the traffic rather than using the "security-level" alone for that.
    If you want to control traffic from "inside" to any other interfaces (and its networks) I would suggest the following
    Create and "object-group" containing all of the other network
    Create an ACL for the "inside" interface
    First block all traffic to other networks using the "object-group" created
    After this allow all rest of the traffic
    In the case where you need to allow some traffic to the other networks, insert the rule at the top of the ACL before the rule that blocks all traffic to other networks
    For example a situation where you have interfaces and networks
    WAN
    LAN-1 = 10.10.10.0/24
    LAN-2 = 10.10.20.0/24
    DMZ = 192.168.10.0/24
    GUEST = 192.168.100.0/24
    You could block all traffic from "LAN-1" to any network other than those behind the "WAN" interface with the following configuration.
    object-group network BLOCKED-NETWORKS
    network-object 10.10.20.0 255.255.255.0
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.100.0 255.255.255.0
    access-list LAN-1-IN remark Block Traffic to Other Local Networks
    access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
    access-list LAN-1-IN remark Allow All Other Traffic
    access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
    This should work if your only need is to control the traffic of the interface "LAN-1". If you want to control each interfaces connections to the others then you could do minor additions
    Have all your local networks configured under the "object-group"This way you can use the same "object-group" for each interface ACL
    object-group network BLOCKED-NETWORKS
    network-object 10.10.10.0 255.255.255.0
    network-object 10.10.20.0 255.255.255.0
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.100.0 255.255.255.0
    access-list LAN-1-IN remark Block Traffic to Other Local Networks
    access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
    access-list LAN-1-IN remark Allow All Other Traffic
    access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
    access-list LAN-2-IN remark Block Traffic to Other Local Networks
    access-list LAN-2-IN deny ip any object-group BLOCKED-NETWORKS
    access-list LAN-2-IN remark Allow All Other Traffic
    access-list LAN-2-IN permit ip 10.10.20.0 255.255.255.0 any
    access-list DMZ-IN remark Block Traffic to Other Local Networks
    access-list DMZ-IN deny ip any object-group BLOCKED-NETWORKS
    access-list DMZ-IN remark Allow All Other Traffic
    access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any
    access-list GUEST-IN remark Block Traffic to Other Local Networks
    access-list GUEST-IN deny ip any object-group BLOCKED-NETWORKS
    access-list GUEST-IN remark Allow All Other Traffic
    access-list GUEST-IN permit ip 192.168.100.0 255.255.255.0 any
    Then you could basically use the same type ACLs in each interface. (Though still separate ACLs for each interface) And as I said if you need to open something between local networks then insert the correct "permit" tule at the top of the ACL.
    Hope this helps
    - Jouni

  • HT1311 I know this is a basic question, however, how do i change my pass word on itunes to stop my kids from automatically buying tunes from the I store... as my card details are already saved they just log in with their ipods and download via my account

    I know this is a basic question, however, how do i change my pass word on itunes to stop my kids from automatically buying tunes from the I store... as my card details are already saved they just log in with their ipods and download via my account

    http://support.apple.com/kb/HE36
    Regards.

  • Can we Restrict Rows or Stop rows from breaking across pages in XSL-FO

    Hi,
    Iam working on PO Print report and my requirement is to Stop rows from breaking across pages.
    Suppose there are three Lines in a PO.Then the information of the Third line of PO comes partly on page1 and the rest on Page 2.I need all the line information in a single page and not break across pages.Can i control the rows from breaking across pages....If not then can i limit the Rows?
    Any Help would be appreciated....Thanks

    Hi vetsrini,
    not very sure where to add the code.I have tried but its not working...i have sent u the xsl file on [email protected]
    Please let me know where i should add the code.
    Thanks in advance

  • Ipv4 from dhcp, ipv6 static on single interface eth0

    Hi,
    pls help me understand or solve my problem with my network setup.
    I had ipv4 ip address assigned dynamically and ipv6 set statically, both via netcfg and everything worked without problem.
    This is my netcfg config:
    CONNECTION='ethernet'
    DESCRIPTION='A basic dhcp ethernet connection using iproute'
    INTERFACE='eth0'
    IP='dhcp'
    PRE_UP='ethtool -s eth0 wol g'
    PRE_DOWN='ethtool -s eth0 wol g'
    ## for IPv6 autoconfiguration
    #IP6='stateless'
    ## for DHCPv6
    IP6='static'
    ADDR6=(2002:54f2:xxxx:1::2/64)
    GATEWAY6=2002:54f2:xxxx:1::1
    But someday I received error when booting up and also when I try to start profile manualy:
    /etc/rc.d/net-profiles start
    :: eth0 up
    RTNETLINK answers: File exists
    Adding gateway 2002:54f2:xxxx:1::1 failed
    No profile started.
    I found that I can't have two gateways on one interface, but until now there's no problem.
    When I disabled GATEWAY6 line from config, eth0 profile can be started but ipv6 connectivity didn't works.
    I tried set ipv6 to stateless that works, but after some time not more that 5min network connection resets and after recovery in couple of seconds only ipv4 works.
    Where's a problem? What can I do to achieve same setup I had before some update last week?
    Thanks

    houmles wrote:I found that I can't have two gateways on one interface, but until now there's no problem.
    I suspect it's a problem with that; I've noticed this problem as well.
    When trying to add multiple default gateways with iproute2 (ie, `ip r a default via xxx:xxx:xxx::xxxx`) it errors with the error you've mentioned. I'm not sure if this is a kernel bug, iproute2 bug, or not a bug at all.
    Having multiple default IPv4 gateways works fine.
    I believe netcfg doesn't check for an existing gateway and delete it first (or use `ip r r` instead or `ip r a`) before adding the one; but I haven't checked the code so I could be wrong.
    EDIT:
    OK, I couldn't resist looking at the code, and it indeed does a 'dumb' addition of the gateway:
    112 if [[ -n "$GATEWAY" ]]; then
    113 report_debug ethernet_iproute_up ip route add default via "$GATEWAY" dev "$INTERFACE"
    114 if ! ip route add default via "$GATEWAY" dev "$INTERFACE"; then
    115 report_iproute "Adding gateway $GATEWAY failed"
    116 fi
    117 fi
    I'm looking at making a patch now. Patch and bug report: https://bugs.archlinux.org/task/29480
    Last edited by fukawi2 (2012-04-16 01:00:09)

  • How can i configure my iphone to only pass traffic from certain apps over vpn

    I have got a telephony app that connects to a phone system through vpn. when I turn on "send all traffic through vpn" internet and other apps are really slow. is their a way to configure the phone to send only traffic from the app through VPN.

    Now all my new apps as well as several others are gone from the iPhone.
    Look on other screens. The 4.1 update ands Game Center to the home screen. If that screen was full it create a blank screen and moves one app from the home screen to the new screen to make room for Game Center. All the other screens are pushed back one place.
    How can I get my apps back? It cost me a lot of time and money to discover those apps and get them onto the phone. Are they just gone now?
    If they are really gone, you can download them again. You will not be charged again if you use the same iTunes account.

  • NAT list getting hit for traffic from WAN IP

    I have an 871 setup at home with a fairly basic configuration (NAT, Firewall, EasyVPN, Wireless). What I've noticed is that for traffic going from the WAN interface (FastEthernet4), it seems to be hitting the ACL in place for NAT. My config:
    interface Loopback0
    ip address 192.168.254.1 255.255.255.255
    interface FastEthernet4
    description Cable Modem Connection
    bandwidth 384
    ip address dhcp
    ip nat outside
    ip nat enable
    no ip virtual-reassembly
    duplex auto
    speed auto
    interface Vlan1
    no ip address
    bridge-group 1
    interface BVI1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip nat inside source list NATLIST interface FastEthernet4 overload
    ip access-list extended NATLIST
    permit ip 192.168.1.0 0.0.0.255 any
    deny ip any any log
    Seems to work just fine, but I will see this in my logs:
    Oct 30 17:21:38 PDT: %SEC-6-IPACCESSLOGP: list NATLIST denied udp 76.22.98.39(0) -> 68.87.69.146(0), 1 packet
    Oct 30 17:21:38 PDT: %SEC-6-IPACCESSLOGP: list NATLIST denied udp 76.22.98.39(0) -> 140.142.16.34(0), 1 packet
    Oct 30 17:21:56 PDT: %SEC-6-IPACCESSLOGDP: list NATLIST denied icmp 76.22.98.39 -> 24.64.94.41 (0/0), 1 packet
    Oct 30 17:23:38 PDT: %SEC-6-IPACCESSLOGP: list NATLIST denied udp 76.22.98.39(0) -> 207.188.29.230(0), 1 packet
    Oct 30 17:25:38 PDT: %SEC-6-IPACCESSLOGDP: list NATLIST denied icmp 76.22.98.39 -> 121.18.13.100 (0/0), 2 packets
    Oct 30 17:27:38 PDT: %SEC-6-IPACCESSLOGDP: list NATLIST denied icmp 76.22.98.39 -> 24.64.94.41 (0/0), 1 packet
    Where 76.22.98.39 is the dynamic IP address from the cable provider. If the traffic isn't passing through the router, why is it trying to NAT it?
    IOS Version is 12.4(6)T9

    Hello Brom,
    I am facing the same situation that I can see a whole bunch of log-entries which state that IP-packets with the source address of the routers own WAN-interface-address are trying to reach a variety of IPs somewhere out there.
    I don't feel fine with just ignoring something - in only very rare situations this has been a good advise. I believe this is not a solution.
    There's just one naging question you should be able to answer.
    Since when needs the routers traffic translation? If the router sends packets because it want's to reach a destination for some reason it uses as source-address the address of the interface the traffic is supposed to leave and send's it directly there, doesn't it?
    So why in the world are there thousends of packets denied by the NAT-process (ofcourse, the NATACL doesn't allow this address), all showing the same pattern
    (pattern == protocol=udp AND source=ownWANIP AND port=0 AND destination=someIPoutthere AND port=0) as you can see from the following output, cause I think this is supicious and tryed it - wow! How do these packets get to the NAT-process anyway?!
    000894: Oct 10 06:57:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000895: Oct 10 06:58:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 4 packets 
    000896: Oct 10 06:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000897: Oct 10 06:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000898: Oct 10 07:02:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000899: Oct 10 07:04:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 16 packets 
    000900: Oct 10 07:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000901: Oct 10 07:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000902: Oct 10 07:08:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000903: Oct 10 07:09:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 5 packets 
    000904: Oct 10 07:11:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000905: Oct 10 07:11:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000906: Oct 10 07:13:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000907: Oct 10 07:14:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 14 packets 
    000908: Oct 10 07:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000909: Oct 10 07:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000910: Oct 10 07:18:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000911: Oct 10 07:19:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000913: Oct 10 07:22:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000914: Oct 10 07:22:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 3 packets 
    000915: Oct 10 07:23:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000916: Oct 10 07:24:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 8 packets 
    000917: Oct 10 07:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 3 packets 
    000918: Oct 10 07:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000919: Oct 10 07:29:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 3 packets 
    000920: Oct 10 07:30:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000921: Oct 10 07:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 3 packets 
    000922: Oct 10 07:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 3 packets 
    000923: Oct 10 07:34:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000924: Oct 10 07:35:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 24 packets 
    000925: Oct 10 07:38:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000926: Oct 10 07:38:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000928: Oct 10 07:39:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 3 packets 
    000929: Oct 10 07:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    000930: Oct 10 07:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000931: Oct 10 07:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000932: Oct 10 07:44:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000936: Oct 10 07:47:35: %SEC-6-IPACCESSLOGP: list FAE00IN denied tcp 222.173.130.154(6000) -> 212.152.155.204(1433), 1 packet 
    000937: Oct 10 07:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000938: Oct 10 07:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000939: Oct 10 07:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000940: Oct 10 07:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000941: Oct 10 07:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 5 packets 
    000942: Oct 10 07:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000943: Oct 10 07:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000946: Oct 10 07:56:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000947: Oct 10 08:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 7 packets 
    000948: Oct 10 08:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000949: Oct 10 08:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000950: Oct 10 08:01:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000951: Oct 10 08:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 15 packets 
    000952: Oct 10 08:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000953: Oct 10 08:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000954: Oct 10 08:06:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000956: Oct 10 08:10:26: %SEC-6-IPACCESSLOGDP: list FORNAT denied icmp 212.152.155.204 -> 172.16.0.151 (0/0), 1 packet 
    000957: Oct 10 08:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    000958: Oct 10 08:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000959: Oct 10 08:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000960: Oct 10 08:11:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000961: Oct 10 08:14:49: %SEC-6-IPACCESSLOGP: list FAE00IN denied tcp 216.133.175.69(2087) -> 212.152.155.204(5900), 1 packet 
    000962: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000963: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 11 packets 
    000964: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000966: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000968: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000969: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    000970: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000971: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000972: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000973: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 3 packets 
    000974: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000975: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000976: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000977: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 29 packets 
    000978: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000979: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000980: Oct 10 08:38:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000981: Oct 10 08:39:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000982: Oct 10 08:39:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000983: Oct 10 08:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000984: Oct 10 08:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    000985: Oct 10 08:44:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000986: Oct 10 08:44:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000987: Oct 10 08:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000988: Oct 10 08:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000989: Oct 10 08:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000990: Oct 10 08:52:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000991: Oct 10 08:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 5 packets 
    000992: Oct 10 08:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    000993: Oct 10 08:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000994: Oct 10 08:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000995: Oct 10 09:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000996: Oct 10 09:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 17 packets 
    000997: Oct 10 09:07:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000998: Oct 10 09:07:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000999: Oct 10 09:09:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001002: Oct 10 09:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 7 packets 
    001003: Oct 10 09:15:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 14 packets 
    001004: Oct 10 09:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001005: Oct 10 09:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001006: Oct 10 09:17:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001007: Oct 10 09:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    001008: Oct 10 09:24:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001009: Oct 10 09:24:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001010: Oct 10 09:26:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001012: Oct 10 09:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 4 packets 
    001013: Oct 10 09:32:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 26 packets 
    001014: Oct 10 09:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001015: Oct 10 09:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001016: Oct 10 09:35:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001017: Oct 10 09:37:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    001018: Oct 10 09:41:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001019: Oct 10 09:41:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001020: Oct 10 09:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001021: Oct 10 09:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    001022: Oct 10 09:48:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 74 packets 
    001023: Oct 10 09:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001024: Oct 10 09:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001027: Oct 10 09:52:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 

  • Curious Traffic from Firewall

    Good Day,
    I am noticing large chunk of traffic to a subnet that should not exist. We are running EVERYTHING in the 10.0.0.0/8 subnet. We have NOTHING in the 172.16.0.0/12 or 198.168.0.0/16 subnets. That being said, we are noticing traffic that looks to be going OUT from our servers. I say that based on what I can find with other traffic and a black hole route on both our VOIP router and on our data router. There are 8 X-Serves, 4 high(ish) end Mac Minis, then far too many iMacs. This is the most active one, but 6 of the 12 look similar. The unique thing is the broadcasts seems to be from here. This one has 0.0.0.0:68 255.255.255.255:67.
    Relevant Info:
    SERVER is 10.X.Y.19 (OS X 10.6.8)
    AFP
    Firewall
    Open Directory (Replica)
    ANOTHERSERVER is 10.X.Y.13 (OS X 10.5.8)
    AFP
    Firewall
    Open Directory (Replica)
    ANOTHERSERVER2 is 10.X.Y.10 (OS X 10.6.8)
    AFP
    Firewall
    Open Directory (Replica)
    SMB
    Firewall log spam inc
    Oct 24 11:30:15 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59377 172.16.1.40:3283 out via en0
    Oct 24 11:30:16 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59378 172.16.1.97:3283 out via en0
    Oct 24 11:30:16 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59379 172.16.1.40:3283 out via en0
    Oct 24 11:30:16 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59380 172.16.1.97:3283 out via en0
    Oct 24 11:30:25 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59381 172.16.1.97:3283 out via en0
    Oct 24 11:30:25 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59382 172.16.1.40:3283 out via en0
    Oct 24 11:30:26 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59383 172.16.1.40:3283 out via en0
    Oct 24 11:30:26 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59384 172.16.1.97:3283 out via en0
    Oct 24 11:30:45 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:36:07 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:38:12 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:43:28 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:44:13 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:44:43: --- last message repeated 1 time ---
    Oct 24 11:45:46 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:47:04 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:47:38: --- last message repeated 1 time ---
    Oct 24 11:47:38 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:48:15 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:50:54 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:52:02: --- last message repeated 1 time ---
    Oct 24 11:54:52 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:55:14 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59516 172.16.1.97:3283 out via en0
    Oct 24 11:55:14 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59517 172.16.1.40:3283 out via en0
    Oct 24 11:55:31 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:57:30: --- last message repeated 1 time ---
    Oct 24 11:57:30 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59529 172.16.1.97:3283 out via en0
    Oct 24 11:57:30 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59530 172.16.1.40:3283 out via en0
    Oct 24 11:57:34 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:58:43 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Oct 24 11:58:53 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59537 172.16.1.40:3283 out via en0
    Oct 24 11:58:53 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59538 172.16.1.97:3283 out via en0
    Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59539 172.16.1.40:3283 out via en0
    Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59540 172.16.1.97:3283 out via en0
    Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59541 172.16.1.40:3283 out via en0
    Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59542 172.16.1.97:3283 out via en0
    Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59543 172.16.1.40:3283 out via en0
    Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59544 172.16.1.97:3283 out via en0
    Oct 24 11:59:45 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    The rest of the servers have entries similar to:
    Oct 23 07:02:58 ANOTHERSERVER ipfw[15647]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 23 07:03:28: --- last message repeated 3 times ---
    Oct 23 16:23:44 ANOTHERSERVER ipfw[15647]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 24 07:06:41 ANOTHERSERVER ipfw[15647]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 24 07:07:11: --- last message repeated 1 time ---
    Oct 24 07:08:09 ANOTHERSERVER ipfw[15647]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 24 07:08:39: --- last message repeated 1 time ---
    Oct 22 07:04:11 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 22 07:04:15 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 22 07:04:47: --- last message repeated 1 time ---
    Oct 22 07:04:47 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 22 07:39:29 ANOTHERSERVER2 ipfw[197]:  1030 Deny TCP 172.17.117.10:1053 10.X.Y.10:139 in via en0
    Oct 22 16:43:42 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 23 07:02:56 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:137 10.X.Y.10:137 in via en0
    Oct 23 07:02:56 ANOTHERSERVER2 ipfw[197]:  1030 Deny TCP 172.17.117.10:1031 10.X.Y.10:139 in via en0
    Oct 23 07:02:58 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 23 07:13:34: --- last message repeated 3 times ---
    Oct 23 07:28:41 ANOTHERSERVER2 ipfw[197]:  1030 Deny TCP 172.17.117.10:1054 10.X.Y.10:139 in via en0
    Oct 23 16:23:44 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 24 07:06:41 ANOTHERSERVER2 ipfw[192]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 24 07:08:09: --- last message repeated 1 time ---
    Oct 24 07:08:09 ANOTHERSERVER2 ipfw[192]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0
    Oct 24 07:08:39: --- last message repeated 1 time ---
    Oct 24 07:28:55 ANOTHERSERVER2 ipfw[192]:  1030 Deny TCP 172.17.117.10:1054 10.X.Y.10:139 in via en0
    Can anyone offer any insight into similar issues or able to point out where else to check? I did some basic checksumming across the commonly used tools that can require authentication (cp, chmod, chown, sudo, sh) and had a few checksums that were drastically different. This is somewhat creepy, but without the intimate knowledge of upgrading Mac OS X Server clients, I am not totally alarmed.
    As stated above, the 172.16.0.0/12 cannot route (due to the black hole route on both routers) but plenty of connections seem to be going OUT from the server. Is this indicative of some form of infectious nastiness or is there some Apple service(s) that I should look for to stop this traffic?
    Thank you in advance! If I missed anything, can clarify, or add anything...PLEASE LET ME KNOW! :-D
    Message was edited by: Verlorenen
    (Saved too soon, sorry)

    Verlorenen,
    Your Port 67 and 68 traffic is likely because someone is trying to pull a DHCP address from your server(s).  Are they used as DHCP servers??  I suspect not, but someone clearly is trying to pull an address from them.  Reference this:
    http://www.linklogger.com/UDP67_68.htm
    As for the other stuff, Port 1053 is a Remote Assistance port for Windows servers and is often used by a known trojan know as The Thief.  Now, with that in mind, it may be the case that some Windows machine/VM on your network, on the same IP network as the Mac servers, is infected, and the little malware that is installed is searching the network and trying to pull an IP via DHCP from anything/everything it can.  This might explain the port 67 and 68 traffic.  Many trojans do just that, whether it's a Windows trojan or others. Lastly, the 3283 traffic is Apple's Remote Desktop protocol, ARD in other words.  It seems someone on the .19 machine was trying to ARD to machines on the (apparently unusued) 172.16.x.x network.  I wouldn't be as concerned by that, as long as you keep ARD locked down well (perhaps changing cred's there might be in order just to be safer).
    My take-away from this though is this - do you have a network firewall?  You mention a router filter, that is not a firewall with all due respect.  I'd be curious to know if you utilize a perimeter firewall.  The reason I ask is there is no good reason that Port67 and 68 should ever even GET to the Apple servers, as long as they are truly not DHCP servers of course (your list of functions above doesn't list them, so I assume they are not).  But the point is, why rely on just the Mac host-based firewall to block this stuff, when it shouldn't have to.  A perimeter security firewall would automatically not allow ports like 67 and 68 inbound to the servers unless you explicitly poke a hole for that. Again, no reason to in your case, if they are indeed not DHCP servers. If you do indeed have a solid perimeter firewall, then I suspect this traffic is being generated internally on your internal network, and that is indeed cause for more concern.  Track it down, I'm betting you find a windows machine with a trojan on it.  Check all of them, including all Virtual machines anyone may be running.
    I hope some of this is helpful.  I would also of course want you to be ABSOLUTELY sure that noone there uses 172.17.117.10 legitimately at all. Sometimes, odd looking networks like that are used by SSL VPN solutions, or other small pools of IP's just for a very specific use that you might not be thinking of always.  But in any case, let us know what you find.
    -SomeDude

  • OSX sends out Dhcp requests thru the wrong interface

    I have setup an Xserve so far only providing file services over AFP. It is located in our computer room on a different broadcast domain. I use a separate machine as a DNS. I would like to use my Xserve's 2nd ethernet interface to provide Netboot/Netinstall services on a 192.168.x.x network for bulk imaging of our clients. I have enabled Dhcp and setup Netboot on the eth1 but the system.log shows that it is floding my computer room network sending dhcp requests from eth0.
    I have checked the bootpd.plist file and the settings seem ok.

    Check your terminology.
    it is floding my computer room network sending dhcp requests from eth0.
    The only way it would send any DHCP traffic on en0 would be if en0 was configured to use DHCP for its own configuration.
    Running as a DHCP server is entirely passive - nothing happens until the server receives a request from a client on the LAN. Only at that point does the DHCP server send any traffic out over the wire.
    In addition, 'flood' is a relative term. How much traffic are we talking here? Are you talking a few packets such as in the normal DHCP client request/refresh cycle, or are you talking hundreds of packets a second?

  • CSS11503 - Inbound and outbound traffic on same virtual interface

    Setup two CSS11503's running 8.10. Running and active/passive config.
    Two groups of servers each with a VIP. Both groups of servers on the same VLAN.
    The VIP's reside on VLAN1 and the servers are on VLAN2
    Problem:
    Servers from one group cannot access the other via it's VIP. Servers cannot access themselves via their VIP as well.
    Can ping the vip's with out a problem.
    I assume that this is because that traffic generated by a client is going in and out of the same interface.
    I have come across similar problems on various firewalls.
    Is there anyway of getting around this.
    Thanks
    Julian

    Julian,
    this is not the same issue as firewall preventing traffic to go in and out the same interface.
    The problem here is that the CSS will receive traffic from Server1, it will nat the vip into Server2 and forward traffic keeping the src ip unchanged.
    So, when Server2 replies, it sends the response to Server1. Since they are on the same subnet, the response bypass the CSS and Server1 receives a response from Server2 which is unknown to Server1 since it expects a response from the Vip.
    The solution is to implement source nat on the CSS for traffic originating from the servers.
    This can be done with a group and an ACL.
    This was discussed many times, so I think you should be able to find a sample config somewhere.
    If you can't let me know.
    Gilles.

  • How to stop OS X from retrieving reverse DNS name ?!

    Hello guys,
    I have a small problem that's very annoying. I manage a couple dozen Macs at work via ARD. All Macs are up to date and so is ARD.
    Recently i started to notice something bizzare in ARD, meaning that from time to time a couple of Macs that were passed over from an ex employee to another current employee, behaved erradic in ARD. Sometimes they appear offline, sometimes they dissaper entirely (also in Scanner), BUT most of the times they appear with incorrect DNS name (ex DNS name from the ex employee or even duplicates DNS names)
    I attached a pic in which you can clearly see what i'm all about.
    I tried different situations and config mods, and i almost nailed it when i changed the DHCP DNS settings from the router. Currently the router LAN DNS settings points to the local server (ie: 10.0.1.2) which has DNS enabled and then to the public DNS. If i switch the entires, then the DNS names appear correctly in ARD, but if i do that i also loose the iChat service which is dependent of that entry.
    SO i think the best way is to figure out a way to stop OS X from retrieveing reverse DNS names. Is this possible?

    I've have this issue too.  This thread may be helpful:
    https://discussions.apple.com/thread/4190442
    Most of our computers have static IP addresses assigned, so it is just some laptops that receive DHCP that seem to get confused in ARD sometimes.  As in your case, the computers themselves never have an issue - it is just ARD that gets mixed messages.  It also never seems to affect ARD, it just displays incorrectly. While I'm not entirely convinced this is fixable, I took the advice of the thread above and when it gets really bad, I simply go to "All Computers" and delete everything out.  Then I quit and reopen ARD and then from the Scanner, I re-add the computers and re-organize them.  We only have about 30 computers, so it goes quick when they are all turned on.  They seem to stay pretty organized for a while... and then the cycle begins again.

  • Prioritizing traffic from "main" computer on LAN

    My Current Setup
    internet router (dhcp server) main computer
    ●──────────────────●────────────(eth1)─●
    │ │(eth0)
    │ │
    │ switch │
    └─────●─────────────┘

    └─● [other computers]
    My main computer is connected to the router via a switch on eth0 and directly via a usb cable on eth1. Other computers on the LAN connect to the router via the switch.
    The Problem
    I need to shape traffic in such a way that priority is given to uploads from the main computer when other computers are uploading.* I do not always have the option of throttling the upload on the other systems and I do not want to impose any arbitrary limits on them. I simple want to make sure that all the necessary bandwidth is given to the main computer and whatever is leftover can be used for the other computers.
    NOTE: I cannot shape traffic via the router. My ISP uses crippling firmware and I cannot bypass it.
    The Plan
    The main computer is not always on so I can't configure it to be an integral part of the network. I don't mind having to disconnect and reconnect a cable though so I suspect that I can disconnect the switch from the router and thus shape traffic from the other computers by passing it through the main computer:
    internet router (dhcp server) main computer
    ●──────────────────●────────────(eth1)─●
    │(eth0)

    switch │
    ●─────────────┘

    └─● [other computers]
    This is where I need some help. I've looked through a lot of documentation but I'm still not sure how to set this up. I think I need to use proxy ARP (with iproute2) but I'm hoping that someone else can confirm this before I explore it further. I'm afraid that I'll waste time only to find that it was a false start and that I need to do it differently.
    Can anyone with network configuration experience confirm that proxy ARP is the way to go? If not, what do you suggest?
    I would also appreciate any links to relevant tutorials|guides|documentation. I wouldn't mind some simple examples either but I'm not asking anyone to do this for me. I just need to know that I'm on the right path.
    Thanks.
    *I'm only concerned about upload bandwidth right now because I'm on ADSL and download bandwidth is usually not an issue. I also expect that any solution for upload shaping will work for download shaping as well.

    Xyne wrote:I think I need to use proxy ARP (with iproute2) but I'm hoping that someone else can confirm this before I explore it further. I'm afraid that I'll waste time only to find that it was a false start and that I need to do it differently.
    God no.... Proxy ARP is the most god awful creation ever created. The person who thought that was a good idea should be taken out the back and shot.
    You want to create a bridge with eth0 and eth1 = br0 so they both act on the same Layer 2 (ie, your Main computer becomes a 2-port switch). This should get you going, you'll just have to hack out / modify the firewall parts to do the traffic prioritisation stuff:
    http://www.sjdjweis.com/linux/bridging/

  • UDP Broadcast Traffic from Cisco ASA

    Hi,
    I want to know that, like Cisco IOS Router, Does Cisco ASA pass the UDP Broadcast traffic e.g., TFTP etc...?
    Any thoughts ???
    BR,
    Mubasher Sultan

    Hi Mubasher,
    Unlike the router the ASA does not forward any kind of broadcast packet (with the exemption of the DHCP broadcasts when DHCP Relay is enabled).
    I understand that your DHCP server is providing here the IP address for your TFTP servers. I guess you are using DHCP option 150.
    So if the DHCP server is on one interface and the client is on another you can configure DHCP Relay on your ASA.
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml
    In regards of the TFTP requests these will be normal unicast packets as Cadet said so just make sure that you have the proper ACLs and NAT rules for that.

  • How do i stop my mac from redirecting me to things such as mackeeper?

    How do i stop my mac from redirecting me to things such as mackeeper?

    You may have installed the "VSearch" trojan, perhaps under a different name. Remove it as follows.
    Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.
    Back up all data before proceeding.
    Triple-click anywhere in the line below on this page to select it:
    /Library/LaunchAgents/com.vsearch.agent.plist
    Right-click or control-click the line and select
              Services ▹ Reveal in Finder (or just Reveal)
    from the contextual menu.* A folder should open with an item named "com.vsearch.agent.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.
    Repeat with each of these lines:
    /Library/LaunchDaemons/com.vsearch.daemon.plist
    /Library/LaunchDaemons/com.vsearch.helper.plist
    /Library/LaunchDaemons/Jack.plist
    Restart the computer and empty the Trash. Then delete the following items in the same way:
    /Library/Application Support/VSearch
    /Library/PrivilegedHelperTools/Jack
    /System/Library/Frameworks/VSearch.framework
    ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
    Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.
    From the Safari menu bar, select
              Safari ▹ Preferences... ▹ Extensions
    Uninstall any extensions you don't know you need, including any that have the word "Spigot," "Trovi," or "Conduit" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.
    Reset the home page and default search engine in all the browsers, if it was changed.
    This trojan is distributed on illegal websites that traffic in pirated content. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect much worse to happen in the future.
    You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that this Internet criminal has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing, has not done so, even though it's aware of the problem. This failure of oversight has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.
    *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select
              Go ▹ Go to Folder...
    from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

Maybe you are looking for

  • I'm ready to give up on the

    i just got my zen micro on Friday night, and it's dri'ven me to so much frustration that I'm about ready to sell it off after just 2 days and swtich to iPod instead. st thing i got it on Friday was to charge it up fully and started loading songs. Who

  • Pages & AppleScript - adding content and new pages

    I build iOS apps for a living and I am taking a stab at making a developer's guide for each app I create (classes and methods used, some terminology, etc.). I'm able to get a list of all my class files and methods of each class from XCode using Apple

  • Publish to zip html problem in CP4

    When I elect to publish to  zip and html, it publishes but it does not zip the files. What am I doing wrong? Possibly related -->( when I publish to zip/html or to html,  the html file doesn't run the swf file)

  • OS 10.6.8 Origins

    I know this is a dumb question, but will ask it anyway.  For some reason the computer I am on right now has OS 10.6.8.  The others in the house are still on OS 10.5.8.  Is it possible that I may have downloaded this 10.6.8 or is there a disc that wou

  • EXTRACT DATA BASED ON BUDGET YEAR

    I have a scenario where I need to extract data based on the users enter the budget year. Our budget year is as follow: September, October, November, December, January, February, March, April, May, June, July, August If the users enter the budget year