From: "Bo Jacobsen" <subs@systemhouse.dk>
To: netfilter@lists.netfilter.org
Subject: Re: Question; what is this netfilter logfile entry ?
Date: Sun, 14 Nov 2004 22:41:32 +0100 [thread overview]
Message-ID: <001001c4ca92$b98566a0$de0aa8c0@comp> (raw)
In-Reply-To: 1100429463.5934.420.camel@grendel
> >
> > Nov 14 02:24:48 WF1-HOME kernel: DENY-OUT:.IN= OUT=eth0 SRC=192.168.1.2 DST=198.41.0.4 LEN=560 TOS=0x00 PREC=0xC0 TTL=64 ID=3123 PROTO=ICMP TYPE=3 CODE=3 [SRC=198.41.0.4 DST=192.168.1.2 LEN=532 TOS=0x00 PREC=0x00 TTL=49 ID=41159 PROTO=UDP SPT=53 DPT=51981 LEN=512 ]
> >
> > It looks like ICMP with an embedded DNS call ?.
>
> It's an ICMP port unreachable. Looks like 198.41.0.4 tried to send a
> reply to one of your DNS queries, took too long to respond, and by the
> time they did the port was closed. What's kind of interesting is that it
> was a full size answer so I'm guessing the truncation bit was set. This
> means that if this packet had been returned in time your system would
> have had to switch to TCP to get a full answer.
>
> The UDP info is embedded in the payload so the remote system knows which
> port was unreachable. This is in case multiple session were running at
> the same time. Perfectly normal for an ICMP error packet.
>
> > What is it exactly, and how would a rule to allow this look like ?
>
> This would be permitted if you are letting "RELATED" traffic through.
> This ensures that only legit ICMP errors are passed. While you could
> define an accept rule for the ICMP type code, this would let all
> matching traffic through opening up the possibilities of a covert
> communication channel.
>
It has something to do with PSD. When it's "enabled" the problem arises
trigered by prior PSD denials to DNS traffic comming from unknown external
ip's. With no iptables PSD statements it never happens.
On our inside we have djbdns acting as an internal forwarding DNS server.
When PSD closes trafffic of like this, this type of "traffic" is taking up all
internet bandwith, and filling up the syslog message log. If djbdns is
killed / restarted the traffic stops, and everything works again. If just left
alone, after a minute or two, everything goes back to normal.
Maybe djbdns starts spewing out DNS requests, and is denied the reply
because a trigered PSD will not allow any DNS response back in.
Strangely enough, we have only seen this problem when
accessing the www.space.com
We currently run iptables 1.2.8 on a 2.4.21 kernel. We have not yet tested it with
a 2.6 kernel.
Bo
next prev parent reply other threads:[~2004-11-14 21:41 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-14 0:42 newbie question - what is the iptables equivalent of a Linksys "DMZ" ? David Williamson
2004-11-14 0:57 ` Chris Brenton
2004-11-14 2:18 ` Question; what is this netfilter logfile entry ? Bo Jacobsen
2004-11-14 7:42 ` Marc Haber
2004-11-14 10:51 ` Chris Brenton
2004-11-14 21:41 ` Bo Jacobsen [this message]
2004-11-14 17:02 ` Jason Opperisano
2004-11-14 13:35 ` newbie question - what is the iptables equivalent of a Linksys "DMZ" ? Tobias DiPasquale
2004-11-14 16:44 ` Jason Opperisano
2004-11-14 21:05 ` David Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='001001c4ca92$b98566a0$de0aa8c0@comp' \
--to=subs@systemhouse.dk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.