Below is a copy of the message from the old LRP mailing list.
=====================
Message: 12
Date: Wed, 16 May 2001 14:45:04 -0700
From: Victor McAllister <[EMAIL PROTECTED]>
To: Linux Router Project <[EMAIL PROTECTED]>
Subject: Re: [LRP] All threads regarding port 53 TCP
John Desmond wrote:
> Somebody said:
> > > Some load balancing systems will generate TCP/53
> > requests
> > > to your name server in order to identify your
> > virtual
> > > location on the Internet.
>
> Is it possible that the DNS requests that dnscache
> makes causes LRP to look like a nameserver?
>
> By the way, I've haven't used any workstations behind
> the LRP since morning of 5/11 and I've gotten the
> following DNSpam: 5/11 21:38:54, 5/11 23:53:15, and
> 5/12 10:36:25. Nothing since then.
> -John
I run Eiger and added a version of Charles' script into
/etc/ipfilter.conf here:
# Clear any garbage rules out of the filters
ipfilter_flush
# Block known IPs who do TCP port 53 floods
# Added to block list of IPs on 4/15/2001
IP_LIST="`cat /etc/dns_floods`"
for IP in $IP_LIST ; do
$IPCH -I input -j DENY -p tcp -s $IP/32 -d
$EXTERN_IP/32 53 -i $EXTERN_IF
done ; unset IP
It adds 22 rules to the input filter. You can still tell if
you have been hit because the number of DENYed packets is
available when you look at the input filter list. (You can
use weblet to view this). Probably just eliminates the 100k
log entries since they were being DENYed anyway before.
===================================
Now, from what I noticed, the line :
$IPCH -I input -j DENY -p .....etc
is wrapped by my mail client (or the mail server, whatever the hell). I
remove the LF/CR or whatever with delete, and it works great.
Also, the other thing I found is that there is a few places in the
ipfilter.conf that flushes all the rules. Make sure you place it in the
right spot or one of the later flushes will remove your hard work.
Tinker with it and you will get it going!
Later,
Tony
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin
> Sent: Thursday, July 05, 2001 06:59
> To: [EMAIL PROTECTED]
> Subject: FW: [Leaf-user] Help with DNS error logs on Eiger2Beta with
> PPPoP Attn; Charles or Victor
>
>
>
> -----Original Message-----
> From: Kevin [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 04, 2001 11:51 AM
> To: Leaf-User@Lists. Sourceforge. Net
> Subject: Re: [Leaf-user] Help with DNS error logs on Eiger2Beta with
> PPPoP Attn; Charles or Victor
>
>
> HELP!!
>
> I tried to search via Geocrawler for DNS and Scripts and it found
> nothing...ouch
>
> Any help on the script to run to stop this logging?
>
> Thanks
>
>
> Message: 4
> Date: Tue, 03 Jul 2001 18:24:36 -0700
> From: Victor McAllister <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: [Leaf-user] Help with DNS error logs on
> Eiger2Beta with PPPoP
> Reply-To: [EMAIL PROTECTED]
>
> 64.37.200.46 is one of the IPs used by some companies for
> geographic load
> balancing. A whole list of machines all hit your port 53 at
> the same time.
> It
> doesn't do any damage, but the log entries can run to 100k or more.
> I use Charles' little script to modify the firewall to not
> log this garbage.
> There was a message on this lit a couple of days ago with the
> script for
> esb2... If you can't find -- holler.
>
> > I need some help in not logging the following DNS error types:
> >
> > Packet log: input DENY ppp0 PROTO=6 64.37.200.46:41613
> 66.20.176.251:53
> L=44
> > S=0x00 I=0 F=0x0000 T=242 (#42)
> >
> > I am using the Eiger2beta with PPPoP from Ken on a two
> floppy disk set-up.
> >
> > I have a dsncache.lrp module running and have three IP's for the DNS
> servers
> > to ensure these all find a way home.
> >
> > from /etc/network.conf
> > DNS0=192.168.1.254
> > DNS1=205.152.0.20
> > DNS2=205.152.0.5
> >
> > What else is needed to help?
>
>
>
>
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user
>
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
