Quoted from another thread....

If this is the case, why is my firewall blocking a whole boat load of packets from a Private IP that isn't mine?

Apr 22 15:20:00 platypus kernel: [IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=215 
Apr 22 15:32:01 platypus kernel: [IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=243 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=223 
Apr 22 15:32:01 platypus kernel: [IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=215 
Apr 22 15:44:01 platypus kernel: [IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=243 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=223 
Apr 22 15:44:01 platypus kernel: [IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=215 
Apr 22 15:56:02 platypus kernel: [IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=243 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=223 
Apr 22 15:56:02 platypus kernel: [IPTABLES REJECT] : IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:fe:fd:40:16:47:15:08:00 SRC=192.168.139.100 DST=192.168.255.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=215

There are quite a lot of these:

fukawi2@platypus ~  $ grep -c '192.168.139.100' /var/log/messages.log 
1726

Of course, now that the private network is an alias on eth0 instead of a separate interface, I can't guarantee these aren't spoofed packets from the BBI (Big Bad Intarwebs), but if that were the case, I find it very coincidental that the person doing the spoofing knows the address space of the private network on my host...

I'm not really bothered, my firewall (obviously) blocks everything that isn't from my other Linode, and the only traffic I send across the private lan is some ssh traffic occasionally, but if there's a bug or whatever, then it probably wants to be reported

Being able to sniff and being able to see broadcast traffic are two different things. You can't sniff traffic between two of my nodes on the private network. You can, however, hear my broadcast traffic or any traffic directed at your node.

Ahh, very true... I wasn't sure there there was some kind of VLAN happening in Xen to completely isolate the traffic.

But it's an interesting point. Your linode has to waste time processing these broadcast packets. Given the number of linodes on a subnet that's a lot of wasted CPU time!

Hmm.

I wonder if it's worth linode modifying the host filters to block broadcast traffic.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

Also interesting that I only see it from one other host....

Probably because there's only one node in your datacenter who likes to chatter NetBios traffic.