If you look at the example, you`ll see that it is in fact broadcasted DNS traffic and not directed: Router_IP 255.255.255.255 Udp 57125 53 - BLOCKED ISA_IP Since the the traffic is broadcast, I would think it would be Handled in exactly the same manner as DHCP broadcasts. David Elmquist -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 6. januar 2002 20:51 To: [ISAserver.org Discussion List] Subject: [isalist] Re: How to get rif of DHCP broadcast logging? http://www.ISAserver.org That's all true, but what does directed DNS traffic have to do with broadcast DHCP traffic? My point is : 1. The majority of DHCP traffic is broadcast-based, since the DHCP client won't have an IP address 2. ISA blocks and logs all broadcast traffic on any external interface (including DMZ interfaces) 3. Any attempt to specify a broadcast IP in the local computer part of the packet filter will cause the Firewall service to choke on the PF definition. Essentially, you can't stop ISA from logging broadcast traffic on the external interface. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "David Elmquist" <david@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, January 06, 2002 11:35 Subject: [isalist] Re: How to get rif of DHCP broadcast logging? http://www.ISAserver.org Just for fun, i`ve tried it out. Since I haven`t got any DHCP servers on the outside of my ISA, I used a router to generate DNS broadcasts which look like this: Router_IP 255.255.255.255 Udp 57125 53 - BLOCKED ISA_IP I then constructed a packet filter with the following properties: Block UDP Direction: Receive only Local port: fixed - 53 Remote port - all ports Local computer: This ISA server`S External address: 0.0.0.0 Remote computer: Router_IP When I untick "Log any packets mathing this filter", I do not get the Broadcast traffic in my log. David Elmquist -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 6. januar 2002 20:20 To: [ISAserver.org Discussion List] Subject: [isalist] Re: How to get rif of DHCP broadcast logging? http://www.ISAserver.org You can't specify "255.255.255.255." (broadcast address) in the packet filter properties for the ISA IP, which is what ISA is blocking. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "David Elmquist" <david@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, January 06, 2002 10:43 Subject: [isalist] Re: How to get rif of DHCP broadcast logging? http://www.ISAserver.org I would have thought, one could construct a packet filter along The lines of this: Block UDP Local port: - fixed port 68 - direction: Receive Remote port: - fixed port 67 - And then untick "log any packets matching this filter. Haven`t tried it, though. I did once construct a packet filter to accept DHCP broadcast from external source. Had to use 0.0.0.0 as "This ISA server`s external address" to get it To work. It might be applicable in the above example too. David Elmquist -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 6. januar 2002 19:26 To: [ISAserver.org Discussion List] Subject: [isalist] Re: How to get rif of DHCP broadcast logging? http://www.ISAserver.org No; ISA logs all blocked traffic, regardless of its origin. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Leo" <leo@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, January 06, 2002 04:10 Subject: [isalist] How to get rif of DHCP broadcast logging? http://www.ISAserver.org I'm running a DHCP server on the ISA Server. The external adapter get's it's address from an external DHCP server (at my ISP). I notice lots of blocked UDP packets (port 67, 68) if I check the loggings on the ISA server. They are comming from my internal adapter. I want to prevent these broadcasts to my external adapter because they are flooding my logfile. Is there a way to do this?? Thanks, Leo 2002-01-06 00:00:15 192.168.255.1 255.255.255.255 Udp 68 67 BLOCKED 62.45.59.38 2002-01-06 00:00:15 192.168.255.1 255.255.255.255 Udp 67 68 BLOCKED 62.45.59.38 2002-01-06 00:00:23 192.168.255.1 255.255.255.255 Udp 68 67 BLOCKED 62.45.59.38 2002-01-06 00:00:23 192.168.255.1 255.255.255.255 Udp 67 68 BLOCKED 62.45.59.38 2002-01-06 00:00:31 192.168.255.1 255.255.255.255 Udp 68 67 BLOCKED 62.45.59.38 2002-01-06 00:00:31 192.168.255.1 255.255.255.255 Udp 67 68 BLOCKED 62.45.59.38 ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')