search for: cloudmark

so i just found that one of my hosts is GENERATING these probe pairs, maybe every minute or two (note the sequence numbers): seq my host victim(s) --- ---------------- --------------- 24) 192.168.0.2:1121 <--> 216.52.3.2:2703 25) 192.168.0.2:1122 <--> 216.52.3.4:2703 39) 192.168.0.2:1124 <-->

...OS/Version: All Status: NEW Severity: minor Priority: P4 Component: iptables AssignedTo: laforge at netfilter.org ReportedBy: kd6lvw at yahoo.com Example rule: iptables -A INPUT -j ACCEPT -p tcp -m tcp --sport 2703 -s discovery.razor.cloudmark.com/22 DNS resolution: (BIND 9.7.0a3) ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 0 ;; ANSWER SECTION: discovery.razor.cloudmark.com. 3600 IN A 208.83.137.118 discovery.razor.cloudmark.com. 3600 IN A 208.83.139.205 discovery.razor.cloudmark.com. 3600 IN A...

...ld allow the admin to do whatever they want. There are likely to be some admins a bit perturbed by our arrogance in trying to second guess them. Let's take your example and extend it a bit with the quota match: iptables -A INPUT -j ACCEPT -p tcp -m tcp --sport 2703 -s discovery.razor.cloudmark.com/22 -m quota --quota 1000000 Here the admin wants to limit cloudmark traffic to 3MB. Because he knows there are 3 IPs in the DNS RR, he uses 1MB as the limit for each rule (and, like you, he ignores that DNS RR entries can change at any time). If we implement the change you are suggesting, we...

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #4 from Phil Oester <netfilter at linuxace.com> 2013-07-08 23:33:07 CEST --- As noted, #2 is solved already. Also, /128 will no longer print (commit 945353a2). But your #1 makes little sense to me: discovery.razor.cloudmark.com/22. How do you know that EVERY IP returned from a DNS lookup is always going to be a /22 mask? What if they get assigned a new /24 net tomorrow, and add an IP from that /24 to the DNS RR? Then your rule addition is no longer valid. What you are attempting to do ultimately sounds like a bad...

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #6 from Phil Oester <netfilter at linuxace.com> 2013-07-09 03:50:27 CEST --- Yes, I fully understand what is happening in the one specific example you have provided. However you need to answer what happens if Cloudmark suddenly decides to add an IP _OUTSIDE_ of that /22 that is assigned to them. Let's say they open a new datacenter using subnet 1.2.3.0/24. Your rule will now allow 1.2.0.0/22 even though they don't necessarily own that entire /22. And you won't even know about this change because of...

...rule with > 208.83.136.0/22." > > Yet, it adds THREE rules, two of which will never fire, thus the problem and > bug report. You appear to be missing the point. iptables is doing EXACTLY what it should do here, by design. So instead of using a rule with "-s discovery.razor.cloudmark.com/22" you should use a rule with "-s 208.83.136.0/22" if you only want to get a single rule. > Extend your quota example: When the first rule reaches the quota, it will stop > firing. The first duplicate will then fire. In this case, as there are three > rules, one end...