Where is this package from? ---------------------------------------------------------v Nov 27 18:41:05 ache kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.7 DST=192.168.0.1 LEN=92 TOS=0x00 PREC=0x00 TTL=64 ID=10397 DF PROTO=UDP SPT=32768 DPT=53 LEN=72 It comes two-three times per minute. There in no machine with the IP number 192.168.0.1. John ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Hm, DNS request from 192.168.0.7 to nameserver 192.168.0.1 ? Ralf John Plate schrieb:> Where is this package from? > > ---------------------------------------------------------v > Nov 27 18:41:05 ache kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > SRC=192.168.0.7 DST=192.168.0.1 LEN=92 TOS=0x00 PREC=0x00 TTL=64 > ID=10397 DF PROTO=UDP SPT=32768 DPT=53 LEN=72 > > It comes two-three times per minute. There in no machine with the IP > number 192.168.0.1. > > John > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Ralf Sauther wrote:> Hm, DNS request from 192.168.0.7 to nameserver 192.168.0.1 ?No, 192.168.0.1 does not exist! 192.168.0.7 is the nameserver machine. The "IN=" port is empty! John> John Plate schrieb: > >Where is this package from? > > > >---------------------------------------------------------v > >Nov 27 18:41:05 ache kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > >SRC=192.168.0.7 DST=192.168.0.1 LEN=92 TOS=0x00 PREC=0x00 TTL=64 > >ID=10397 DF PROTO=UDP SPT=32768 DPT=53 LEN=72 > > > >It comes two-three times per minute. There in no machine with the IP > >number 192.168.0.1. > > > >John------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
In this case the packet is IMHO local generated. You should check your nameserver setup at 192.168.0.7, maybe there is a forwarder entry pointing to 192.168.0.1 or /etc/resolv.conf ... Ralf> No, 192.168.0.1 does not exist! 192.168.0.7 is the nameserver machine. > > The "IN=" port is empty! > > John > > >> John Plate schrieb: >> >>> Where is this package from? >>> >>> ---------------------------------------------------------v >>> Nov 27 18:41:05 ache kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 >>> SRC=192.168.0.7 DST=192.168.0.1 LEN=92 TOS=0x00 PREC=0x00 TTL=64 >>> ID=10397 DF PROTO=UDP SPT=32768 DPT=53 LEN=72 >>> >>> It comes two-three times per minute. There in no machine with the IP >>> number 192.168.0.1. >>> >>> John >>> > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
John, On 27-Nov-2005 19:11, John Plate wrote:> Where is this package from? > > ---------------------------------------------------------v > Nov 27 18:41:05 ache kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > SRC=192.168.0.7 DST=192.168.0.1 LEN=92 TOS=0x00 PREC=0x00 TTL=64 > ID=10397 DF PROTO=UDP SPT=32768 DPT=53 LEN=72No IN interface normally means locally generated, does the machine named "ache" indeed have an interface with the IP: 192.168.0.7 The LEN (Length) is 92 which is normal for a DNS request. Source port (SPT) is high, looks normal. Destination port is 53, looks like a DNS query. If you setup your bind to do query logging you might be able to correlate why it''s doing those queries. Most likely it''s a domain somewhere on the internet which has one or more NS records for the 192.168.0.1 address. Queries like this are quite easy trigerable when utilizing p2p like applications kazaa, morpheus, skype etc. Due to ppl configuring their nat/proxy''ng wrong etc etc the clients receive RFC1918 addresses and when a users attempts to download or find info in regards to these peers they often do a DNS query. Bottom line, check the query log and see what is being resolved. Stijn -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl> ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click