CHX-I Logging Question

Discussion in 'other firewalls' started by noway, Jul 5, 2005.

Thread Status:
Not open for further replies.
  1. noway

    noway Registered Member

    Apr 24, 2005
    I'm trying out CHX-I 2.8.2 and just had a question about CHX-I logs. I have cable modem,
    standalone PC and use DHCP. My current IP address is 70.29.xx.xx. If I traceroute someone,
    the first hop is, which is my 10Net (??) address (not sure what that means exactly).
    I am using CHX-I with only 2 rules: UDP&TCP_NO_SYN(Stateful ON) ICMP (Stateful ON) . I
    have stateful TCP/UDP/ICMP all turned on with logging enabled.

    I am confused about the following periodic activity in my logs:

    Incoming/UDP/source ip: port: 67/dest ip: port: 68/
    reason: Out of connection

    Questions: -what does this 10Net stuff mean exactly?
    -why is the destination address 255.555.255.255? (All other INCOMING log entries
    have destination IP 70.29.xx.xx (my real IP address))

    I'm not having any problems or errors...just want to learn a little more about this stuff)
  2. Jaws

    Jaws Registered Member

    Apr 4, 2005
    Hi Noway,

    I'll take a crack at it but I'll probably be wrong.

    It's your ISP DHCP servers (private address 10.X.X.X) port 67 doing an all IP ( broadcast to your port 68. I get the same thing with CHX . It's there because you have stateful turned on because if you double click that line in the log it doesn't take you to a filter. Since it didn't originate from your computer it just times out as no connection.

    If you use just the treewalk filters for spoofed ip's they'll show up, if double clicked on, as belonging to the spoofed 10.X.X.X filter.


    Last edited: Jul 5, 2005
  3. Kerodo

    Kerodo Registered Member

    Oct 5, 2004
    Jaws, I think you are right. I just call this incoming traffic "dhcp noise". I see it all the time here. I just created a rule in CHX to deny it and turned logging off. That way I don't see it in the logs all the time.

    Ordinarily, my system renews it's dhcp lease by sending a request out to an address in the 172.xx.xx.xx range, and then a reply comes back from the same address. So all is well. However, if I run a cmd prompt (in Win2k) and then type ipconfig /release, and then ipconfig /renew, I find that the outgoing traffic is to the 172.xx.xx.xx address, but the incoming reply comes back from an address in the 10.xx.xx.xx range. When this is the case, you will have to specifically allow this traffic with a rule, since blocking it as per above will interfere with the proper working of things and your dhcp won't work.

    But under normal usage and conditions (no cmd prompt release and renew) then everything should work fine even if you block the 10.xx.xx.xx incoming traffic.

    I hope this makes sense to someone besides me... ;)
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.