[ALUG] Firewall log entry

steve-ALUG at hst.me.uk steve-ALUG at hst.me.uk
Tue Jan 26 09:11:07 GMT 2016


Hi y'all!
I'm confuzzled.

I have repeated entries in my syslog in log file viewer.


Jan 26 08:31:42 MYSERV kernel: [25624.013276] [UFW BLOCK] IN=eth0 OUT= 
MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 
TTL=1 ID=0 PROTO=2
Jan 26 08:31:42 MYSERV kernel: [25624.013768] [UFW BLOCK] IN=eth0 OUT= 
MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 
TTL=1 ID=0 PROTO=2
Jan 26 08:33:48 MYSERV kernel: [25750.017039] [UFW BLOCK] IN=eth0 OUT= 
MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 
TTL=1 ID=0 PROTO=2
Jan 26 08:33:48 MYSERV kernel: [25750.017562] [UFW BLOCK] IN=eth0 OUT= 
MAC=BIG_MAC SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 
TTL=1 ID=0 PROTO=2

Where MYSERV is the name of my server, and
BIG_MAC is what appears to be a mac address but longer than I am used to 
. always the same number, =01:00:5e:00:00:01:a0:21:b7:43:91:37:08:00

As far as I can see, 192.168.1.1 is connecting to a broadcast address, 
to see if anyone's there.
Thing is, 192.168.1.1 IS NOT an address that I'm aware I'm using; my 
subnet is 192.168.0.*.

If I open 192.168.1.1 in a webbrowser, it opens a trivial webpage I have 
set up as an adblock-replacement page.  The thing is, this web page 
normally serves on 127.0.0.1

On the server, if I ping 192.168.1.1 it responds in about the same 
amount of time as 192.168.0.1

I suspect that 192.168.1.1. is my own server bound somehow to another ip 
address.
I doubt that this is something from outside getting in to my network.
Can anyone help me find out what it is, where it is, and how to stop it?

Cheers
Steve



More information about the main mailing list