Shorewall users - Oct 2004 - IPTABLES question in general

They look like blocked DNS requests.  Is there a DNS server somewhere
saying that your firewall (or the DMZ behind your firewall) is the
authoritative DNS server for some domain?


On Wed, 20 Oct 2004 23:30:42 -0500, Shorewall Admin User
<shorewall@thebuc.com> wrote:
> Hello All,
> 
> I have a question in regards to iptables in general, I have been getting
these
> log messages for a while now, and I am trying to figure out why these are
> coming in, I know that I am dropping all packets from the net 2 dmz named
> service.  My question is why would I get these all the time, they are from
> multiple different sites.  Are they trying to do something to my host or is
> this a common occurance?
> 
> -------- cut ----------
> Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2
SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37389 DF
PROTO=UDP SPT=9166 DPT=53 LEN=36
> Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2
SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37403 DF
PROTO=UDP SPT=55524 DPT=53 LEN=36
> Oct 20 23:16:18 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2
SRC=64.12.66.11 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF
PROTO=UDP SPT=9253 DPT=53 LEN=36
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Hello All,

I have a question in regards to iptables in general, I have been getting these
log messages for a while now, and I am trying to figure out why these are 
coming in, I know that I am dropping all packets from the net 2 dmz named
service.  My question is why would I get these all the time, they are from 
multiple different sites.  Are they trying to do something to my host or is 
this a common occurance?

-------- cut ----------
Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2
SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37389 DF
PROTO=UDP SPT=9166 DPT=53 LEN=36
Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2
SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37403 DF
PROTO=UDP SPT=55524 DPT=53 LEN=36
Oct 20 23:16:18 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2
SRC=64.12.66.11 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF
PROTO=UDP SPT=9253 DPT=53 LEN=36

Shorewall Admin User wrote:
> 
> Hello All,
> 
> I have a question in regards to iptables in general, I have been getting
these
> log messages for a while now, and I am trying to figure out why these are
> coming in, I know that I am dropping all packets from the net 2 dmz named
> service.  My question is why would I get these all the time, they are from
> multiple different sites.  Are they trying to do something to my host or is
> this a common occurance?
> 
> -------- cut ----------
> Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2
SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37389 DF
PROTO=UDP SPT=9166 DPT=53 LEN=36
> Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2
SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37403 DF
PROTO=UDP SPT=55524 DPT=53 LEN=36
> Oct 20 23:16:18 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2
SRC=64.12.66.11 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF
PROTO=UDP SPT=9253 DPT=53 LEN=36
It''s still quite a nuisance. They started to show up at about the
beginning of 2001, actually. Several people started to notice this on
the LEAF-LRP lists and then appeared promptly on the Incidents list at
Securityfocus.com and Usenet. When a pop-up ad appeared, showing a cam,
in a web browser, it triggered a load of DROP, DENY messages in the
logs, non-SYN packets destined to port 53 on users'' machines, like your
own. You can see a brief detailed explanation below, with the
coyotepoint.com link. It''s a way of getting the end user to see the ad
at its closest location rather than circumventing the globe to reach a
very remote host, hosting the same ad, wasting bandwidth resources.
Unfortunately, www.geocrawler.com seems to be down for the moment, where
you can find more postings on this subject.

http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2002-06/0805.html
http://www.mail-archive.com/leaf-user@lists.sourceforge.net/msg01321.html

Regards,
-- 
Patrick Benson
Stockholm, Sweden

I have been trying to get connected to an http://server/printers/prtqueue
printer that resides on a linux/cups box behind a shorewall firewall with no
luck so far.  I can connect to the printer easily from inside the network
but from outside it just isn''t happening.  I do have tcp 631 forwarded
to
the correct machine, anyone know if any other ports are required or maybe
some kind of special config....

Thanks.

Correction, as I have now tested it does work when only the printer is
behind a firewall, but not when the printer is behind one firewall, and the
client is behind another firewall across the internet.  I can connect to the
web interface of cups on 631, but can''t print...  Windows just kind of
hangs
after installing the printer drivers and gets stuck at opening printer.  Any
ideas?

Thanks.

>I have been trying to get connected to an http://server/printers/prtqueue
>printer that resides on a linux/cups box behind a shorewall firewall with
>no
>luck so far.  I can connect to the printer easily from inside the network
>but from outside it just isn''t happening.  I do have tcp 631
forwarded to
>the correct machine, anyone know if any other ports are required or maybe
>some kind of special config....
>
>Thanks.

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Nevermind, it ended up being HP''s LJ 3030 driver causing the problem.. 
when
I use a 3200 driver everything works fine.

>Correction, as I have now tested it does work when only the printer is
>behind a firewall, but not when the printer is behind one firewall, and the
>client is behind another firewall across the internet.  I can connect to
>the
>web interface of cups on 631, but can''t print...  Windows just kind
of
>hangs
>after installing the printer drivers and gets stuck at opening printer.
>Any
>ideas?
>
>Thanks.
>
>
>>I have been trying to get connected to an
http://server/printers/prtqueue
>>printer that resides on a linux/cups box behind a shorewall firewall
with
>>no
>>luck so far.  I can connect to the printer easily from inside the
network
>>but from outside it just isn''t happening.  I do have tcp 631
forwarded to
>>the correct machine, anyone know if any other ports are required or
maybe
>>some kind of special config....
>>
>>Thanks.
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm