[Shorewall-users] Dropped packet question....

Bear bear@amberorder.com
Wed, 2 Jan 2002 06:05:30 -0800


This white paper provides a possible explanation as to the ports involved
and the purpose.  (I know, I should have found this before I hit the mailing
list...)

http://www.packetfactory.net/Projects/Firewalk/firewalk-final.html

In short, DPT=0 is often used to fingerprint OSes, and SPT 53 is often not
filtered under the assumption that it's a DNS reply.

So the question I have now (but not for this list, I'll pose it elswhere) is
why would AskJeeves fingerprint my OS when no one from my net is accessing
them?  <g>

Oh well, on to other mailing lists....

Thanks for the replies, Tom...  It got me pointed in the right direction.

John

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Wednesday, January 02, 2002 5:54 AM
To: Bear; shorewall-users@lists.sourceforge.net; Shorewall Users
Subject: Re: [Shorewall-users] Dropped packet question....


On Wednesday 02 January 2002 04:10 am, Bear wrote:

>
> Log entry:
> Jan  2 03:27:56 net2all:DROP:IN=eth0 OUT=eth1 SRC=65.214.36.7
> DST=192.168.0.25 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=32523 PROTO=UDP SPT=53
> DPT=0 LEN=44

While the DPT is unusual, it's not unusual to see these sorts of orphan DNS
replies. I've handled them by:

a) cd /etc/shorewall; cp common.def common
b) Add the following to common

    run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

c) restart Shorewall

-Tom

Tracking #: 6C43B925621E1A4A9E1EE411B85E58C481C4669C
--
Tom Eastep    \  teastep@shorewall.net
AIM: tmeastep  \  http://www.shorewall.net
ICQ: #60745924  \  Firewalls for Linux 2.4