Those are just late DNS replies--port 53 is DNS, and the IP you gave points to a DNS server (ns1.gci.net). "dig -x" is your friend :) The connection tracking table used by iptables to masquerade your internal network will only "hold open" a UDP connection for a certain amount of time; if no traffic flows in either direction, the entry in the connection tracking table will be removed, and further packets from outside will be dropped by the firewall rather than being routed to the internal network. That tends to happen relatively frequently with DNS servers. I''ve got a couple of hundred of those messages in this week''s logs already. I suppose that, if you were getting thousands of these from many DNS servers, it could be someone trying to pull off a DDOS attack by spoofing DNS requests with your source IP, but it doesn''t seem all that likely. A message from Tom on the subject (and a way to silently drop these packets) is in the list archives here: https://www.shorewall.net/pipermail/shorewall-users/2002-June/001702.html I''d make the standard complaint that you should have googled the list yourself, but I found it difficult to get Google to find the message, even though I knew it was there. Searching for <"spt=53" bradeyh> pulled it up, but <"spt 53" shorewall-users> didn''t, at least until I clicked on "repeat the search with the omitted results included." That seems weird--is Google having problems? - Bradey -----Original Message----- From: John S. Andersen [mailto:jsa@norcomix.dyndns.org] Sent: Wednesday, January 08, 2003 5:02 PM To: shorewall-users@shorewall.net Subject: [Shorewall-users] Is this an exploit of some sort? All day long I get a steady flow of these packets from 208.138.130.16 (port 53) to some high numbered port (40275). They get dropped, but what the heck are they? Anyone have a clue? Jan 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUTMAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00 TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 I don''t get so many as to be a DOS, but they look like some sort of probe. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/ _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users