This white paper provides a possible explanation as to the ports involved
and the purpose. (I know, I should have found this before I hit the mailing
list...)
http://www.packetfactory.net/Projects/Firewalk/firewalk-final.html
In short, DPT=0 is often used to fingerprint OSes, and SPT 53 is often not
filtered under the assumption that it''s a DNS reply.
So the question I have now (but not for this list, I''ll pose it
elswhere) is
why would AskJeeves fingerprint my OS when no one from my net is accessing
them? <g>
Oh well, on to other mailing lists....
Thanks for the replies, Tom... It got me pointed in the right direction.
John
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Wednesday, January 02, 2002 5:54 AM
To: Bear; shorewall-users@lists.sourceforge.net; Shorewall Users
Subject: Re: [Shorewall-users] Dropped packet question....
On Wednesday 02 January 2002 04:10 am, Bear wrote:
>
> Log entry:
> Jan 2 03:27:56 net2all:DROP:IN=eth0 OUT=eth1 SRC=65.214.36.7
> DST=192.168.0.25 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=32523 PROTO=UDP SPT=53
> DPT=0 LEN=44
While the DPT is unusual, it''s not unusual to see these sorts of orphan
DNS
replies. I''ve handled them by:
a) cd /etc/shorewall; cp common.def common
b) Add the following to common
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
c) restart Shorewall
-Tom
Tracking #: 6C43B925621E1A4A9E1EE411B85E58C481C4669C
--
Tom Eastep \ teastep@shorewall.net
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ Firewalls for Linux 2.4