dhcp question

  • Thread starter Thread starter Kerodo
  • Start date Start date
K

Kerodo

I just installed Sygate 5.5 firewall here and I'm seeing something strange
in the logs. Everything is working fine, but I'm seeing what looks like
some form of dhcp inbound from remote port 67 to my local port 68 and local
address of 255.255.255.255. The remote IP address is 10.81.48.1. Sygate
is blocking this incoming traffic. It happens frequently, every so many
minutes. Sometimes 20 minutes between them and sometimes only a few
minutes. It's been constant now for the past day or so.

My question is, what is this traffic and why is it happening? Should I
create a rule in Sygate to allow it? Or should I continue to let the
firewall block it. Anyone?
 
I just installed Sygate 5.5 firewall here and I'm seeing something
strange in the logs. Everything is working fine, but I'm seeing
what looks like some form of dhcp inbound from remote port 67 to
my local port 68 and local address of 255.255.255.255. The remote
IP address is 10.81.48.1. Sygate is blocking this incoming
traffic. It happens frequently, every so many minutes. Sometimes
20 minutes between them and sometimes only a few minutes. It's
been constant now for the past day or so.

My question is, what is this traffic and why is it happening?
Should I create a rule in Sygate to allow it? Or should I
continue to let the firewall block it. Anyone?
Click to expand...

This is normal DHCP chatter. When someone on your subnet turns on
their computer, it will sent a broadcast packet (address
255.255.255.255) to port 67 to find a DHCP server to give it an IP
address. Since the requesting machine doesn't have an IP address, the
only way the server can reply with the IP address for it to use is to
send another broadcast message to port 68. Unfortunately, not only
does the DHCP server & client receive these packets, but so does
everyone else on the subnet (a necessary consequence).

Depending on your network configuration, it may be dangerous to block
ports 67 & 68 because those ports are needed by your machine as well to
periodically renew its IP address lease as well as obtain one in the
first place. If you drop off-line for some unexplained reason, that
might be it.

HTH,
John
 
This is normal DHCP chatter. When someone on your subnet turns on
their computer, it will sent a broadcast packet (address
255.255.255.255) to port 67 to find a DHCP server to give it an IP
address. Since the requesting machine doesn't have an IP address, the
only way the server can reply with the IP address for it to use is to
send another broadcast message to port 68. Unfortunately, not only
does the DHCP server & client receive these packets, but so does
everyone else on the subnet (a necessary consequence).

Depending on your network configuration, it may be dangerous to block
ports 67 & 68 because those ports are needed by your machine as well to
periodically renew its IP address lease as well as obtain one in the
first place. If you drop off-line for some unexplained reason, that
might be it.
Click to expand...

Ok, thanks for your response. I won't worry about it then. Apparently the
other firewalls had been letting that thru, but Sygate knows it's nonsense
and blocks it. Sygate let's normal dhcp thru so everything works fine.
 
IP address is 10.81.48.1. Sygate is blocking this incoming

This is normal DHCP chatter. When someone on your subnet turns on
their computer, it will sent a broadcast packet (address
255.255.255.255) to port 67 to find a DHCP server to give it an IP
address. Since the requesting machine doesn't have an IP address, the
only way the server can reply with the IP address for it to use is to
send another broadcast message to port 68. Unfortunately, not only
does the DHCP server & client receive these packets, but so does
everyone else on the subnet (a necessary consequence).
Click to expand...
I notice that it's coming from just one IP address though, 10.81.48.1, and
not various addresses. Is this normal?
 
I notice that it's coming from just one IP address though,
10.81.48.1, and not various addresses. Is this normal?
Click to expand...

You are seeing the server-to-client part of the handshake. Usually
there is only one server for a subnet.

HTH,
John
 
You are seeing the server-to-client part of the handshake. Usually
there is only one server for a subnet.
Click to expand...

Ok, thanks. I'll just ignore it and treat it like all the other blocked
traffic.. When my lease expires it renews ok, so there's apparently
nothing wrong here. I don't seem to need to allow this stuff so I'll let
Sygate continue to block it. Thanks again...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Mysterious network activity. 1
Constant incoming traffic 5
DHCP strange behaviour 2
Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys) 2
Remote Desktop breaks down everytime - getting unusable! 6
lcsrv16.exe 4
Question about browsing ftp sites and security 2
Can't receive Net, but see traffic, and can VOIP 2

Back
Top