All of a sudden, with no change to my Shorewall config, I''ve started to see a lot of udp packets from dns servers that I use being rejected. In the log extract below - all of the 61.9 addresses are a family of dns servers and (obviously, I guess) 144.137.xx.xxx is my public interface. Is it possible that the state connections time out due to poor dns performance? Oct 11 18:02:42 FW72 kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MACSRC=61.9.128.16 DST=144.137.xx.xxx LEN=71 TOS=0x00 PREC=0x00 TTL=60 ID=34817 DF PROTO=UDP SPT=53 DPT=40147 LEN=51 Oct 11 17:04:09 FW72 kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MACSRC=61.9.128.14 DST=144.137.xx.xxx LEN=72 TOS=0x00 PREC=0x00 TTL=251 ID=34775 DF PROTO=UDP SPT=53 DPT=38951 LEN=52 Oct 11 17:06:35 FW72 kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MACSRC=61.9.128.13 DST=144.137.xx.xxx LEN=139 TOS=0x00 PREC=0x00 TTL=60 ID=37999 DF PROTO=UDP SPT=53 DPT=39492 LEN=119 Oct 11 17:07:20 FW72 kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MACSRC=61.9.128.16 DST=144.137.xx.xxx LEN=130 TOS=0x00 PREC=0x00 TTL=60 ID=47696 DF PROTO=UDP SPT=53 DPT=39595 LEN=110 Oct 11 17:07:55 FW72 kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MACSRC=61.9.128.16 DST=144.137.xx.xxx LEN=112 TOS=0x00 PREC=0x00 TTL=60 ID=47730 DF PROTO=UDP SPT=53 DPT=39696 LEN=92 Roy Barkas rbarkas@usa.net
Roy Barkas wrote:> All of a sudden, with no change to my Shorewall config, I?ve started to > see a lot of udp packets from dns servers that I use being rejected. > > In the log extract below ? all of the 61.9 addresses are a family of dns > servers and (obviously, I guess) 144.137.xx.xxx is my public interface. > > Is it possible that the state connections time out due to poor dns > performance? >That''s what I''ve always assumed was happening. In my /etc/shorewall/common file, I have: run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net