Anyone have ideas why I've been getting this blocked?

mentalhemroids · Feb 24, 2007, 6:56 PM

My default rule is to block anything that isn't requested, so I noticed recently that I am getting this in my firewall log…
Feb 24 12:24:57 Bridge 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:57 BRIDGE0 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:57 Bridge 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:47 Bridge 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:47 BRIDGE0 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:47 Bridge 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:37 Bridge 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:37 BRIDGE0 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:37 Bridge 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:27 Bridge 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:27 BRIDGE0 169.254.255.1 224.0.0.5 TCP
Feb 24 12:24:27 Bridge 169.254.255.1 224.0.0.5 TCP

I checked both of the addresses and they trace to IANA; I'm not going to their site, but I do have dyndns running. Does anyone know if that could be causing the address check?
I was just thinking I just setup a box with freebsd 6.2; anyone know if it has a check feature. I'm just wanting be sure.
Thanks.

Search results for: 169.254.255.1

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
NetName: LINKLOCAL
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: Please see RFC 3330 for additional information.
RegDate: 1998-01-27
Updated: 2002-10-14

hoba · Feb 24, 2007, 7:25 PM

Looks like some sort of broadcast traffic. If it's coming from the WAN there is not much that you can do about it besides asking your ISP to check their config. Carp produces similiar traffic btw to announce it's master status to all other members.

mentalhemroids · Feb 24, 2007, 7:27 PM

Well crap… okay, I guess I'm stuck with it. I would assume they are a trusted site, but I'm not wanting to take any chances.

Thanks for your insight.

sai · Feb 28, 2007, 12:42 PM

@mentalhemroids:

Well crap… okay, I guess I'm stuck with it. I would assume they are a trusted site, but I'm not wanting to take any chances.

Thanks for your insight.

Well no, its not coming from a trusted site.

Parent: NET-169-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: Please see RFC 3330 for additional information.

see http://www.faqs.org/rfcs/rfc3330.html

169.254.0.0/16 - This is the "link local" block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not
be found.

When a PC requests a IP address using DHCP , and then does not get a response, it is supposed to be assigned a 169.254.x.x address.

So the packets are coming from someone who needs a DHCP server, not IANA,