Re: [Dorset] [OT] DNS port number
Hi Andrew, Once a connection is made (an incoming connect request to an allowed port) accept(2) will grab another port so that the original port is free for further connect requests. For the benefit of others, since I know you really know this already :-), accept(2) creates another *socket* to handle the connection that's been made, not another port, so further connection requests on the existing socket can be accepted. The port number is the same for both sockets; that's fine since the 5-tuple overall with be distinct between the two. Cheers, Ralph. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Friday, February 25, 2011 05:25:29 pm Ralph Corderoy wrote: Hi Andrew, Once a connection is made (an incoming connect request to an allowed port) accept(2) will grab another port so that the original port is free for further connect requests. For the benefit of others, since I know you really know this already :-), accept(2) creates another *socket* to handle the connection that's been made, not another port, so further connection requests on the existing socket can be accepted. The port number is the same for both sockets; that's fine since the 5-tuple overall with be distinct between the two. Cheers, Ralph. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue Yup! sincerest apologies. You are of course right - its the 5-tuple that identifies the endpoint. Andy -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
Yup, Ralph, that's how I see one abstraction of it... I get iptables panic when I use Skype. It uses lots of high UDPs for a hole punch. It eventually works though. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On 23 February 2011 23:03, Tim xendis...@gmx.com wrote: Any thoughts? I'd look into setting up a DMZ box (if you've a spare machine), separating the internal network from the Virgin/BT/whatever supplied h/ware. extreme, admittedly, but what price peace of mind? -- regards, jr. time flies like an arrow, fruit flies like a banana. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Wednesday, February 23, 2011 11:11:59 pm jr wrote: On 23 February 2011 23:03, Tim xendis...@gmx.com wrote: Any thoughts? I'd look into setting up a DMZ box (if you've a spare machine), separating the internal network from the Virgin/BT/whatever supplied h/ware. extreme, admittedly, but what price peace of mind? Hi Tim, I have precisely this kind of setup simply by having two network interfaces on my main system which runs iptables and is connected vis the internal lan cable and hub to a wireless repeater on which connect to my wifi gadgets like ps3, nokia phone bravia tv. What I really like is the level of control I have from configuring iptables right down to monitoring with wireshark and dhcp contro of clients. Perish the thought of a cable wifi router. incidentally, as Dan sys 8.8.8.8 is google dns. Whya are you not using Virgins own dns - which can be set via dhcp? Regards Andy -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Wednesday 23 February 2011 23:22:14 Andrew Reid Paterson wrote: On Wednesday, February 23, 2011 11:11:59 pm jr wrote: On 23 February 2011 23:03, Tim xendis...@gmx.com wrote: Any thoughts? I'd look into setting up a DMZ box (if you've a spare machine), separating the internal network from the Virgin/BT/whatever supplied h/ware. extreme, admittedly, but what price peace of mind? Hi Tim, I have precisely this kind of setup simply by having two network interfaces on my main system which runs iptables and is connected vis the internal lan cable and hub to a wireless repeater on which connect to my wifi gadgets like ps3, nokia phone bravia tv. What I really like is the level of control I have from configuring iptables right down to monitoring with wireshark and dhcp contro of clients. Perish the thought of a cable wifi router. incidentally, as Dan sys 8.8.8.8 is google dns. Whya are you not using Virgins own dns - which can be set via dhcp? Regards Andy -- Hi Andy, I have been with NTL\Virgin a very long time (since it arrived in the bmth\Poole area, I was a tester) and in the early days NTL DNS were terrible, so I have been using non NTL\Virgin DNS for as long as I have been using NTL\Virgin cable. I do have my own Firewall PC behind the router but I have been considering removing it as it is very old PC and an old firewall software. While I am aware that 8.8.8.8 is google, I have had exactly the same problem when I was using opendns IP (208.67.222.222) Tim -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
Hi Dan, On Wednesday 23 February 2011 23:12:31 Dan Dart wrote: 8.8.8.8 is Google's DNS service. If you're using it, then that'll be why. The high port numbers are the responses. which were blocked :( I know 8.8.8.8 is google, I have had the same log entries when I was using opendns IP (208.67.222.222). I realise that the log entry is telling me that a port scan was blocked but I want to know why the dns is scanning my system on high port numbers when the dns port number is normal 53, is this high level port number scanning normal activity?? If I'm remembering my Stevens' correctly, and Andy Paterson will correct me if I'm wrong, IP packets use a 5-tuple to fully specify the connection, e.g. TCP. Its members are protocol, local address, local port, remote address, remote port When my machine sends a DNS request to Google that tuple might be UDP, 87.113.175.32, 49681, 8.8.8.8, 53 87... is my IP address at the moment, 8.8.8.8 and 53 you recognise as one of Google's DNS servers' IP addresses and the domain service's port number. The local port, 49681, has been picked randomly by my machine because the resolver software said it didn't care what the port number was so it just got a spare one. It's the well-known destination port, 53, that's important when initiating a request to a server. The server will see the address and port number of the peer, 87.113.175.32 and 49681, and send the reply there. No two duplicate 5-tuples exist at the same moment. If I ssh, port 22, from machine foo to machine bar in one terminal, and then do the same in another, the tuples may be TCP, foo, 41839, bar, 22 TCP, foo, 38220, bar, 22 It's the differing local port numbers that allow those two connections to exist at the same time; every other member of the tuple is identical. So back to your original issue, TCP- or UDP-based Port Scan DETECTED on Wed Feb 23 22:21:20 2011 Â targeting ***.***.***.***,61169, sent from 8.8.8.8,53 (*=my ip address) 61169 is the local port number that Google's DNS server thinks originated the request that it's replying to. Your stateful firewall software thinks that's a port scan because it never saw the outgoing request or the request to Google didn't come from you and someone is spoofing your IP address. Or your firewall is buggy. :-) If they are spoofing you then they're probably not picking on you per se, it's just one of those things and this email is long enough already. As for why they still occur when you use OpenDNS, I guess it's because something on your LAN is still configured to use Google. You could use tcpdump or Wireshark on an appropriate machine to try and see the outgoing request. sudo tcpdump port domain Cheers, Ralph. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue