Router messages

Here are a couple of alerts that turn up in the logs (the second one, every hour):

Inbound Policy Violation (Access Denied, IP = 192.168.1.1, Port = dhcp(68))
Protocol: UDP Incoming
Source: 192.168.1.1:bootp(67)
Destination: 255.255.255.255:dhcp(68)
Reason: Network Control Rule ID = 9

Inbound Policy Violation (Access Denied, IP = 192.168.1.1, Port = ntp(123))
Protocol: UDP Incoming
Source: 192.168.1.1:4329
Destination: 0.0.0.0:ntp(123)
Reason: Network Control Rule ID = 9

Is there a need to deal with them, for instance, with Network Monitor rules? Perhaps nothing on the PC is listening for these things. They do pile up in the log.

My rule 9 is the default Block & Log rule, after I added a couple of others.

Hi Ravenheart

I’m not an expert at this, since I don’t have router. But, I think you need to create a Trusted Zone in CFP (Security tab - Tasks button) that contains your PCs LAN IP (and any other LAN PCs if you need/want them) and your Router’s LAN IP (192.168.1.1). I think you need to trust your router.

The first block is DHCP… maybe trying to give you your Internet IP (assuming you do this) & NTP is the time protocol… the router either wants to know the time or maybe its offering you the time.

Kail, thanks, but I don’t know–the existing zone for the NIC already includes the router’s IP in its range.

OK, I see. In that case I suppose you need you need to configure your router to stop offering DHCP & NTP. Does your router have a manual? Doing a Google search on your router & DHCP/NTP will probably yield some useful stuff as well.

Failing all that, you can always create silent block rules in the Network Monitor for these events. Just create a 2 new block rules… one for Inbound UDPs, with source port 67 & destination port 68 with a source IP of 192.168.2.2 and one more for Inbound UDPs, with destination port of 123 and a source IP of 192.168.1.1. Don’t tick the Log box for either of these rules and make sure the new rules are above your final block & log rule.

Hi Ravenheart

You can probably disable NTP (Network Time Protocol) in your router, although I’d make sure either it or you don’t need access to it first.

You may also find you can adjust your routers DHCP configuration, so that fewer DHCP requests are sent on the Network.

Thanks all.

I’ll try silent block rules. I actually need the DHCP, but DHCP renewal is working. I just wonder what the port 67/68 thing is about. The message wasn’t at the same time as the renewal.

On the other hand, I’m sure nothing on the PC is looking to the router for NTP settings, which is a good thing, since there’s no way to update the router on daylight saving rules. I have a pretty good local NTP client (SocketWatch).

From UDP Port 67 to 255.255.255.255 (Broadcast) UDP Port 68 is usually a DHCP offer, I’m not sure why its being rejected if you’re using DHCP. If you do create the silent block rules, you’ll need to ensure that they do not break the DHCP Renewal. If the DHCP rule does break it, you could add 255.255.255.255 as the destination IP. I don’t believe DHCP Renewal uses the broadcast IP.

Hallo,

Did you use the trusted network wizard in cpf security tasks?

[attachment deleted by admin]

Gibran, yes, the wizard offers only the choice that’s already working, the NIC with the range 192.168.1.0–192.168.1.255.

Kail, the block rules are working, but renewal seems to be happening. Here’s from IPCONFIG:

Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : [snipped]
NetBIOS over Tcpip. . . . . . . . : Disabled
Lease Obtained. . . . . . . . . . : Thursday, May 24, 2007 10:53:24 AM
Lease Expires . . . . . . . . . . : Friday, May 25, 2007 10:53:24 AM

And the PC is in the router’s clients table.

Looking at the Wikipedia, I wonder if Bootp is just an older fallback method to dole out IP addresses if a client doesn’t handle DHCP.

Whilst BOOTP and DHCP share some things in common, DHCP, has to all intents and purposes, replaced BOOTP.

Originally BOOTP, was designed to support diskless workstations, by supplying both an IP Address and an IP Address of a server that contained an OS image that could be used by the workstation.

DHCP is built on the BOOTP standard, it uses the same ports 67 and 68 and some of the same methods. It also has an extended ability to offer additional information to clients.

Just to add to the info from Toggie about bootp:

Bootp can be used on a Cisco router when your subnet does not have a DHCP server actually physically setup on your subnet where it can get an IP address from. Bootp can be setup on the router to allow your PC to request an IP address or renewal from a designated DHCP server that is on another subnet.

I do know that Linksys(Cisco owned) uses bootp to setup the DHCP server for giving out addresses on their home routers. I don’t know exactly how they set it up just know they do.

The broadcast that you are getting could be the dhcp server on your router trying to renew the IP address. I believe the default lease on a Linksys is set to 1 day but not sure on that. Once you get an address then I think once 1/2 of the lease is up(could be less) the DHCP server starts broadcasting(255.255.255.255) to renew the lease and it will keep trying until the lease is either renewed or the lease runs out.

hope this helps,

jasper

Something is not right…

You should have a rule like this:

ALLOW IP IN From IP Zone:NIC - 192.168.1.0-192.168.1.255 To IP [ANY] Where IPPROTO is [ANY]

This rule should match both:

Protocol: UDP Incoming
Source: 192.168.1.1:bootp(67)
Destination: 255.255.255.255:dhcp(68)

Protocol: UDP Incoming
Source: 192.168.1.1:4329
Destination: 0.0.0.0:ntp(123)

What IDs have got CPF wizard generated rules?

jaspar2408, thanks, that checks out, I have a Linksys BEFSX41 and noticed that the renewals and bootp messages were coming about 12 hours apart, which I wondered at.

gibran, let me try that, there seems to be no reason to block these messages.

“What IDs have got CPF wizard generated rules?”–I’m not sure I understand the question.

Something is not right...

I’ve been thinking about this too…

Your router is at address 192.168.1.1:

Inbound Policy Violation (Access Denied, IP = 192.168.1.1, Port = dhcp(68))
Protocol: UDP Incoming
Source: 192.168.1.1:bootp(67)
Destination: 255.255.255.255:dhcp(68)

This seems the wrong way round to me.

Initally, a DHCP Client will broadcast (255.255.255.255) for an Address, as it does not know the address of the DHCP server. However, once the client has acquired an address, subsequent communication (starting at half the lease duration) is unicast, that is, when a client attempts a renewal of of it’s address, it does so directly with the server that issued the address. It only resorts to broadcasting if the server cannot be found.

This entry in the logs seems to be suggesting the router is broadcasting. That makes no sense to me?

The first (topmost) rule in network monitor has an ID of 0, subsequent rules have an increasing ID number >0

Your block all has an id of 9 so the trusetd network rules should have an ID between 0 and 8.

Can you post a screenshot of your ruleset?

When I have used a packet sniffer previously on my connection between the router and my PC there was all kinds of traffic that the firewall log didn’t show. I tend to agree with you that the router looks like it is the one doing the broadcasting here. Rather than hijack this thread I am going to get my packet sniffer out tonight and see what is going on under the hood, start a new thread for discussion, and post the packet logs and firewall logs to show what my router does during the process. Maybe we can see what is going on for sure, plus, I think that would make for an interesting discussion.

jasper

gibran, this includes your suggested change.
I’ve also allowed DNS servers, kind of following on the ZoneAlarm model (although ZoneAlarm was not nearly as much fun to work with).

(Tried attaching the image–hope this works.)

[attachment deleted by admin]

Oh, and I see that my Rule 9 in the preceding screenshot is redundant now.

Ravenheart, That zone rule looks wrong to me. You should have two rules, one IN and one OUT, and they should be at positions 0 and 1. I’d be inclined to delete that rule and run through the, New Zone, trusted networks again.

@Jasper. I’d be very interested in that :slight_smile:

Toggie, so it’s that simple!

[attachment deleted by admin]