Shorewall users - Jan 2002 - Dropped packet question....

Hi guys, thought maybe someone would know this off the top of their heads=2E..

What are seemingly legitimate hosts (this one resolves to AskJeeves) doing
trying to UDP to port 0?  And always with a SPT of 53?

There aren''t too many of these in the logs, so it doesn''t seem
like DNS, and
the connection list shows no connections to the related address.

Log entry:
Jan  2 03:27:56 net2all:DROP:IN=3Deth0 OUT=3Deth1 SRC=3D65.214.36.7
DST=3D192.168.0.25 LEN=3D64 TOS=3D0x00 PREC=3D0x00 TTL=3D1 ID=3D32523
PROTO=3DUDP SPT=3D53
DPT=3D0 LEN=3D44

Thanks,
John Stroud
Someday I''ll make a real sig


Tracking #: 732ABD26745089459CD8710713632B03567A6149

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On Wednesday 02 January 2002 04:10 am, Bear wrote:
>
> Log entry:
> Jan  2 03:27:56 net2all:DROP:IN=3Deth0 OUT=3Deth1 SRC=3D65.214.36.7
> DST=3D192.168.0.25 LEN=3D64 TOS=3D0x00 PREC=3D0x00 TTL=3D1 ID=3D32523
PROTO=3DUDP SPT=3D53
> DPT=3D0 LEN=3D44
While the DPT is unusual, it''s not unusual to see these sorts of orphan
DNS=20
replies. I''ve handled them by:

a) cd /etc/shorewall; cp common.def common
b) Add the following to common

    run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

c) restart Shorewall

-Tom
--=20
Tom Eastep    \  teastep@shorewall.net
AIM: tmeastep  \  http://www.shorewall.net
ICQ: #60745924  \  Firewalls for Linux 2.4

This white paper provides a possible explanation as to the ports involved
and the purpose.  (I know, I should have found this before I hit the mailing
list...)

http://www.packetfactory.net/Projects/Firewalk/firewalk-final.html

In short, DPT=0 is often used to fingerprint OSes, and SPT 53 is often not
filtered under the assumption that it''s a DNS reply.

So the question I have now (but not for this list, I''ll pose it
elswhere) is
why would AskJeeves fingerprint my OS when no one from my net is accessing
them?  <g>

Oh well, on to other mailing lists....

Thanks for the replies, Tom...  It got me pointed in the right direction.

John

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Wednesday, January 02, 2002 5:54 AM
To: Bear; shorewall-users@lists.sourceforge.net; Shorewall Users
Subject: Re: [Shorewall-users] Dropped packet question....


On Wednesday 02 January 2002 04:10 am, Bear wrote:
>
> Log entry:
> Jan  2 03:27:56 net2all:DROP:IN=eth0 OUT=eth1 SRC=65.214.36.7
> DST=192.168.0.25 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=32523 PROTO=UDP SPT=53
> DPT=0 LEN=44
While the DPT is unusual, it''s not unusual to see these sorts of orphan
DNS
replies. I''ve handled them by:

a) cd /etc/shorewall; cp common.def common
b) Add the following to common

    run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

c) restart Shorewall

-Tom

Tracking #: 6C43B925621E1A4A9E1EE411B85E58C481C4669C
--
Tom Eastep    \  teastep@shorewall.net
AIM: tmeastep  \  http://www.shorewall.net
ICQ: #60745924  \  Firewalls for Linux 2.4