[Shorewall-users] Dropped packet question....
Wed, 2 Jan 2002 06:05:30 -0800
This white paper provides a possible explanation as to the ports involved
and the purpose. (I know, I should have found this before I hit the mailing
In short, DPT=0 is often used to fingerprint OSes, and SPT 53 is often not
filtered under the assumption that it's a DNS reply.
So the question I have now (but not for this list, I'll pose it elswhere) is
why would AskJeeves fingerprint my OS when no one from my net is accessing
Oh well, on to other mailing lists....
Thanks for the replies, Tom... It got me pointed in the right direction.
From: Tom Eastep [mailto:firstname.lastname@example.org]
Sent: Wednesday, January 02, 2002 5:54 AM
To: Bear; email@example.com; Shorewall Users
Subject: Re: [Shorewall-users] Dropped packet question....
On Wednesday 02 January 2002 04:10 am, Bear wrote:
> Log entry:
> Jan 2 03:27:56 net2all:DROP:IN=eth0 OUT=eth1 SRC=220.127.116.11
> DST=192.168.0.25 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=32523 PROTO=UDP SPT=53
> DPT=0 LEN=44
While the DPT is unusual, it's not unusual to see these sorts of orphan DNS
replies. I've handled them by:
a) cd /etc/shorewall; cp common.def common
b) Add the following to common
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
c) restart Shorewall
Tracking #: 6C43B925621E1A4A9E1EE411B85E58C481C4669C
Tom Eastep \ firstname.lastname@example.org
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ Firewalls for Linux 2.4