odd incoming packets

[dsr at tao.merseine.nu (dsr at tao.merseine.nu)]

On Fri, Sep 12, 2003 at 09:40:27PM -0400, James R. Van Zandt wrote:
> 
> I think my setup is fairly standard: a Linux box connected to a router
> (Linksys BEFSR41) connected to a cable modem connected to a Comcast
> cable.  The router is set up to forward SSH and nothing else.  The
> Linux box has a firewall that drops some packets silently but logs
> others.
> 
> I'd like to understand these entries in my syslog:
> 
> vanzandt:/var/log# grep Drop syslog|tail -6
> Sep 12 20:19:14 vanzandt kernel: Dropping packet: IN=eth0 OUT=
> MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
> DST=192.168.1.102 LEN=78 TOS=0x00 PREC=0x00 TTL=242 ID=55166 DF
> PROTO=UDP SPT=53 DPT=56639 LEN=58

A UDP packet sent from port 53 to a random port on your system would be
a DNS reply.

> The packets are coming from 204.127.204.8, which is one of the Comcast
> domain name servers:
> 
>   vanzandt:~$ host 204.127.204.8
>   Name: ns13.attbi.com
>   Address: 204.127.204.8

Oh look, a name server.

> First, why should their server send UDP packets to various
> high-numbered ports on my machine?

Because your DNS system requested a lookup, and it's replying?

> Second, how are those packets getting through my router?

The magic of NAT. Remember that UDP is not session oriented, and so a
non-stateful packet filter has to let it in if it looks legit.

Is this not one of the nameservers your machine is trying to use?

-dsr-

-- 
Network engineer / pre-sales engineer available in the Boston area.
http://tao.merseine.nu/~dsr