odd incoming packets
dsr at tao.merseine.nu
dsr at tao.merseine.nu
Fri Sep 12 22:04:29 EDT 2003
On Fri, Sep 12, 2003 at 09:40:27PM -0400, James R. Van Zandt wrote:
>
> I think my setup is fairly standard: a Linux box connected to a router
> (Linksys BEFSR41) connected to a cable modem connected to a Comcast
> cable. The router is set up to forward SSH and nothing else. The
> Linux box has a firewall that drops some packets silently but logs
> others.
>
> I'd like to understand these entries in my syslog:
>
> vanzandt:/var/log# grep Drop syslog|tail -6
> Sep 12 20:19:14 vanzandt kernel: Dropping packet: IN=eth0 OUT=
> MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
> DST=192.168.1.102 LEN=78 TOS=0x00 PREC=0x00 TTL=242 ID=55166 DF
> PROTO=UDP SPT=53 DPT=56639 LEN=58
A UDP packet sent from port 53 to a random port on your system would be
a DNS reply.
> The packets are coming from 204.127.204.8, which is one of the Comcast
> domain name servers:
>
> vanzandt:~$ host 204.127.204.8
> Name: ns13.attbi.com
> Address: 204.127.204.8
Oh look, a name server.
> First, why should their server send UDP packets to various
> high-numbered ports on my machine?
Because your DNS system requested a lookup, and it's replying?
> Second, how are those packets getting through my router?
The magic of NAT. Remember that UDP is not session oriented, and so a
non-stateful packet filter has to let it in if it looks legit.
Is this not one of the nameservers your machine is trying to use?
-dsr-
--
Network engineer / pre-sales engineer available in the Boston area.
http://tao.merseine.nu/~dsr
More information about the Discuss
mailing list