[Shorewall-users] fw2net DROP messages

bogdan bogdan at emis.com.au
Sat Aug 30 15:31:21 PDT 2003


Hi all

Before I started to write this Question I was sure that messages "fw2net
DROP...." was not showing often but when I looked closly at the logs it
shows to be plenty.

Did some one compromised our DNS (secondary dns)?

Why would DNS send the packets to the ports other than requesed (wrong
config, connection timeout,web server already has the answer for the query)

What should I do with this trafic? is it ok to allow DNS 203.94.161.6 to go
to webserver 203.94.161.7 the way it wants to
PS. we use this box to go out as a GW for a few dialups and internal.

Thanks for the help
Bogdan

rules file
----------------------
REJECT net   $FW  tcp ssh,auth
DROP net   $FW  icmp 8
DROP net   loc  icmp 8
DROP net   dial1  icmp 8
DROP net   dial2  icmp 8
DROP dial1   $FW  icmp 8

ACCEPT loc $FW tcp 53  # DNS
ACCEPT loc $FW udp 53  # DNS
ACCEPT loc net tcp 53  # DNS
ACCEPT loc net udp 53  # DNS
ACCEPT net $FW tcp 53  # DNS
ACCEPT net $FW udp 53  # DNS
ACCEPT $FW net tcp 53,123  # DNS and TIME
ACCEPT $FW net udp 53,123  # DNS and TIME


#  $FW to dns and to net
ACCEPT $FW   net  icmp 8
ACCEPT $FW   loc  icmp 8
ACCEPT $FW   net:203.94.161.5 tcp 53
ACCEPT $FW   net:203.94.161.5 udp 53
ACCEPT $FW   net tcp 20,21,25,80,110,123,443,10987
ACCEPT $FW   net udp 123

#  local
ACCEPT loc   $FW  icmp 8
ACCEPT loc   net  icmp 8
ACCEPT loc   net:203.94.161.5 tcp 53
ACCEPT loc   net:203.94.161.5 udp 53
ACCEPT loc   net:210.8.42.18 tcp 8080 # BBF accounts
ACCEPT loc   net tcp 20,21,22,23,25,80,110,443,10987,56789
ACCEPT loc   $FW tcp 20,21,22,23,25,80,110,443,10987

ACCEPT loc:~00-40-f4-42-33-9b net all # wally 5.100

# dialin
ACCEPT dial1   $FW  icmp 8
ACCEPT dial1   loc  icmp 8
ACCEPT dial1   $FW tcp 53  # fns1
ACCEPT dial1   $FW udp 53  # fns1
ACCEPT dial1   net:203.94.161.5 tcp 53
ACCEPT dial1   net:203.94.161.5 udp 53
ACCEPT dial1   net tcp 20,21,25,80,81,110,443,10987
# these are outgoing, port 81 for mmm

ACCEPT dial2   $FW  icmp 8
ACCEPT dial2   loc  icmp 8
ACCEPT dial2   $FW tcp 53 # fns1
ACCEPT dial2   $FW udp 53 # fns1
ACCEPT dial2   $FW tcp 80,443
ACCEPT dial2   net:203.94.161.5 tcp 53
ACCEPT dial2   net:203.94.161.5 udp 53
ACCEPT dial2   net tcp 20,21,25,80,110,443,10987

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


-----------------
messages:Aug 30 13:20:50 fns1 kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0
SRC=203.94.161.6 DST=203.94.161.7 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=53 DPT=34225 LEN=34
messages:Aug 30 13:22:34 fns1 kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0
SRC=203.94.161.6 DST=203.94.161.7 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=53 DPT=34226 LEN=40
messages:Aug 30 13:22:34 fns1 kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0
SRC=203.94.161.6 DST=203.94.161.7 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=53 DPT=34230 LEN=40



More information about the Shorewall-users mailing list