They look like blocked DNS requests. Is there a DNS server somewhere saying that your firewall (or the DMZ behind your firewall) is the authoritative DNS server for some domain? On Wed, 20 Oct 2004 23:30:42 -0500, Shorewall Admin User <shorewall@thebuc.com> wrote:> Hello All, > > I have a question in regards to iptables in general, I have been getting these > log messages for a while now, and I am trying to figure out why these are > coming in, I know that I am dropping all packets from the net 2 dmz named > service. My question is why would I get these all the time, they are from > multiple different sites. Are they trying to do something to my host or is > this a common occurance? > > -------- cut ---------- > Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37389 DF PROTO=UDP SPT=9166 DPT=53 LEN=36 > Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37403 DF PROTO=UDP SPT=55524 DPT=53 LEN=36 > Oct 20 23:16:18 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=64.12.66.11 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=9253 DPT=53 LEN=36 > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: lists.shorewall.net/mailman/listinfo/shorewall-users > Support: shorewall.net/support.htm > FAQ: shorewall.net/FAQ.htm >
Hello All, I have a question in regards to iptables in general, I have been getting these log messages for a while now, and I am trying to figure out why these are coming in, I know that I am dropping all packets from the net 2 dmz named service. My question is why would I get these all the time, they are from multiple different sites. Are they trying to do something to my host or is this a common occurance? -------- cut ---------- Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37389 DF PROTO=UDP SPT=9166 DPT=53 LEN=36 Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37403 DF PROTO=UDP SPT=55524 DPT=53 LEN=36 Oct 20 23:16:18 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=64.12.66.11 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=9253 DPT=53 LEN=36
Shorewall Admin User wrote:> > Hello All, > > I have a question in regards to iptables in general, I have been getting these > log messages for a while now, and I am trying to figure out why these are > coming in, I know that I am dropping all packets from the net 2 dmz named > service. My question is why would I get these all the time, they are from > multiple different sites. Are they trying to do something to my host or is > this a common occurance? > > -------- cut ---------- > Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37389 DF PROTO=UDP SPT=9166 DPT=53 LEN=36 > Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37403 DF PROTO=UDP SPT=55524 DPT=53 LEN=36 > Oct 20 23:16:18 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=64.12.66.11 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=9253 DPT=53 LEN=36It''s still quite a nuisance. They started to show up at about the beginning of 2001, actually. Several people started to notice this on the LEAF-LRP lists and then appeared promptly on the Incidents list at Securityfocus.com and Usenet. When a pop-up ad appeared, showing a cam, in a web browser, it triggered a load of DROP, DENY messages in the logs, non-SYN packets destined to port 53 on users'' machines, like your own. You can see a brief detailed explanation below, with the coyotepoint.com link. It''s a way of getting the end user to see the ad at its closest location rather than circumventing the globe to reach a very remote host, hosting the same ad, wasting bandwidth resources. Unfortunately, geocrawler.com seems to be down for the moment, where you can find more postings on this subject. derkeiler.com/Newsgroups/comp.os.linux.security/2002-06/0805.html mail-archive.com/leaf-user@lists.sourceforge.net/msg01321.html Regards, -- Patrick Benson Stockholm, Sweden
I have been trying to get connected to an server/printers/prtqueue printer that resides on a linux/cups box behind a shorewall firewall with no luck so far. I can connect to the printer easily from inside the network but from outside it just isn''t happening. I do have tcp 631 forwarded to the correct machine, anyone know if any other ports are required or maybe some kind of special config.... Thanks.
Correction, as I have now tested it does work when only the printer is behind a firewall, but not when the printer is behind one firewall, and the client is behind another firewall across the internet. I can connect to the web interface of cups on 631, but can''t print... Windows just kind of hangs after installing the printer drivers and gets stuck at opening printer. Any ideas? Thanks.>I have been trying to get connected to an server/printers/prtqueue >printer that resides on a linux/cups box behind a shorewall firewall with >no >luck so far. I can connect to the printer easily from inside the network >but from outside it just isn''t happening. I do have tcp 631 forwarded to >the correct machine, anyone know if any other ports are required or maybe >some kind of special config.... > >Thanks._______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: lists.shorewall.net/mailman/listinfo/shorewall-users Support: shorewall.net/support.htm FAQ: shorewall.net/FAQ.htm
Nevermind, it ended up being HP''s LJ 3030 driver causing the problem.. when I use a 3200 driver everything works fine.>Correction, as I have now tested it does work when only the printer is >behind a firewall, but not when the printer is behind one firewall, and the >client is behind another firewall across the internet. I can connect to >the >web interface of cups on 631, but can''t print... Windows just kind of >hangs >after installing the printer drivers and gets stuck at opening printer. >Any >ideas? > >Thanks. > > >>I have been trying to get connected to an server/printers/prtqueue >>printer that resides on a linux/cups box behind a shorewall firewall with >>no >>luck so far. I can connect to the printer easily from inside the network >>but from outside it just isn''t happening. I do have tcp 631 forwarded to >>the correct machine, anyone know if any other ports are required or maybe >>some kind of special config.... >> >>Thanks._______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: lists.shorewall.net/mailman/listinfo/shorewall-users Support: shorewall.net/support.htm FAQ: shorewall.net/FAQ.htm