On 14/10/2011 04:11, Alex wrote: > Where do the "Late DNS Replies" come from? I don't see that reflected > in the DNS macro: >
Do a grep in the /usr/share/shorewall dir. I don't have the stuff in front of me, but I think you will find they come from the standard REJECT policy rule? I'm not sure what "late DNS replies" are matching, but certainly something which can happen with UDP is that you can stop listening and "close" the port before a reply arrives. I think only the operating system can know this (not iptables?), but the OS will usually generate something like an ICMP port unreachable response in return. Such a situation can occur normally if you have a DNS responder like DNSMasq which queries all dns servers simultaneously and keeps the fastest response, or more worryingly if someone is trying to poison you by spoofing replies (you get the reply + the spoof - dns usually keeps the one returned first...). I have tried to lock down some of these in my own rule set Good luck Ed W ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
