> I´m havin a lot of dnyed packets on port 53, like this one: > Mar 14 13:46:13 tptrtr kernel: Packet log: input DENY eth0 PROTO=6 202.139.133.129:46069 200.45.110.178:53 L=44 S=0x00 I=0 F=0x0000 T=237 (#65) > > When I check them on http://www.echogent.com/cgi-bin/fwlog.pl > I got no advice on it. > > The results of lising the rule are > # ipchains -nvL --line-numbers > 65 520 24564 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a
This is the "catch all" rule, which blocks any inbound traffic on the external interface that hasn't explicitly been allowed. > Can anyone help figuring out what's wrong (or may be right) and why arev > these packets being blocked. The packets are TCP (protocol 6) with a source port of 46069 and a destination port of 53. This is pretty wierd. Port 53 is for DNS, but typically DNS queries only use UDP. TCP packets to/from port 53 *ARE* used to do zone transfers, and occasionally to transfer particularly large DNS queries/responses. The high source port number of 46069 would lead me to believe the remote end initiated the connection. If you're not running a DNS server, I'd say the traffic is some sort of scan or probe, and should be denied. If you're actually running a DNS server, this traffic isn't so unusual...you should look into references on packet filtering and securing your DNS server...if you simply drop inbound TCP queries, you can cause delays in name resolution for your domains, but fully securing DNS is beyond the scope of this e-mail, and your original question. HTH, Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
