Blocking constant hits from WAN port 67 to LAN 255.255.255.255 port 68



  • Hi folks,

    Just converted from Smoothwall yesterday and I must say, after using smoothie for 5 years, I really like pfsense.  But I got an odd hit on my firewall and it's fast and furious.  It's a UDP hit nearly every few seconds from an IP address 96.177.57.1.  I know that UDP hits on port 67 are usually from DHCP servers but I only have one DHCP server on my LAN side, my pfsense DHCP server is disabled and the only other DHCP server is my cable modem on the WAN side.

    If it resolved to my Comcast modem, I'd let it thru but from what I can find, the IP doesn't resolve at all.

    What can I do?  Can I run an IPtable command and just drop the packet so I am not keeping my firewall so busy?



  • Your subject doesn't make sense, since any packet to 255.255.255.255 is by definition a non-routed packet. pfsense may be receiving these packets on the WAN or the LAN interface, but it's not routing them. If it's logging them on the WAN then it is dropping them already, and there's not much you can do about it.

    It's probably your ISP's dhcp server responding to dhcp requests from other people on the network, which can be sent from 255.255.255.255. This is normal and you can safely ignore it.



  • Please search the forum. This is a DHCP request, you can expect to see those and the other threads contain plenty of detail.



  • @Cry:

    Please search the forum. This is a DHCP request, you can expect to see those and the other threads contain plenty of detail.

    I love how people say STF as if that solves all our problems…

    Yea, I searched the forum and knew they were DHCP requests.  I wasn't asking if these were harmful.  The issue I had was I didn't recognize/trust the IP address that was sending the requests.  Had the DHCP requests came from my cable modem 192.168.100.1, my DHCP server 192.168.1.10 or even a comcast IP address I never would have posted it.  I just didn't want my log cluttered with thousands of these:

    Apr 1 20:31:03 WAN 96.177.57.1:67 255.255.255.255:68 UDP
    Apr 1 20:31:05 WAN 96.177.57.1:67 255.255.255.255:68 UDP
    Apr 1 20:31:07 WAN 96.177.57.1:67 255.255.255.255:68 UDP
    Apr 1 20:31:08 WAN 96.177.57.1:67 255.255.255.255:68 UDP
    Apr 1 20:31:09 WAN 96.177.57.1:67 255.255.255.255:68 UDP
    Apr 1 20:31:13 WAN 96.177.57.1:67 255.255.255.255:68 UDP
    Apr 1 20:31:23 WAN 96.177.57.1:67 255.255.255.255:68 UDP
    Apr 1 20:31:23 WAN 96.177.57.1:67 255.255.255.255:68 UDP

    I just went ahead and opened the port, you're right, these are harmless.



  • Oh yea–call this solved...



  • 
    ~# whois 96.177.57.1
    #
    # Query terms are ambiguous.  The query is assumed to be:
    #     "n 96.177.57.1"
    #
    # Use "?" to get help.
    #
    
    #
    # The following results may also be obtained via:
    # http://whois.arin.net/rest/nets;q=96.177.57.1?showDetails=true&showARIN=false
    #
    
    Comcast IP Services, L.L.C. DC-CDM-9 (NET-96-177-0-0-1) 96.177.0.0 - 96.177.255.255
    Comcast IP Services, L.L.C. CABLE-1 (NET-96-128-0-0-1) 96.128.0.0 - 96.191.255.255
    
    

    That address belongs to Comcast, whose network you are on, so pretty normal. Your modem is most likely is bridge mode, which is why that IP address does not match that of the modem.



  • Hey thanks for that!!!!! I used reverse DNS and it came up blank:S  I didn't think to just run a whois–thanks again!


Locked