[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] A curious firewall message I don't understand.



Its probably the hint file in your named cache server that has a
problem, I'd check the routing and such.

Gary B




agr.suzdal wrote:
> i think that something on your computer is going down.
>
> first:
> 128.9.0.107 = ns1.isi.edu
>
> and it's a root name server of DNS as you can see at
> http://en.wikipedia.org/wiki/Root_nameserver
>
> ; formerly NS1.ISI.EDU
> ;
> .                        3600000      NS    B.ROOT-SERVERS.NET.
> B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107
>
> second:
> icmp type 3 code 0 = Host Unreachable
>
> third:
> as you can see at logs, your ROUTER (SRC=192.168.1.1) is sending a
> packet to you (DST=192.168.1.12) answering "with" Host Unreachable
> (PROTO=ICMP TYPE=3 CODE=0) that a packet DNS from YOU (SRC)
> [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64
> ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] can't reach destination.
>
> my recomendation, verify your set of DNS at /etc/resolv.conf, and if
> it's right, then something is bad onto your computer.
>
> Chejov Suzdal
> www.hacktimes.com
> www.qualias.net
>
> Wilson Mattos escribió:
>>  Is the external address of your host "128.9.0.107."  If so, there
>> is a
> host somewhere on the Internet that has this IP address configured
> as their DNS server.  Probably a typo.
>>
>>  Wil
>>
>>  ------------
>>  Wilson Mattos
>>  Technology Specialist
>>  wmattos@xxxxxxxxxx
>>  949-212-2805
>>
>>  Novell, Inc.
>>  Novell BrainShare 2008
>>  This is Your Open Enterprise
>>  Register at http://www.novell.com/brainshare
>> >>> "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx> 01/17/08 10:53 AM >>>
>>
>>
>> Hi,
>>
>> My setup is:
>>
>>                     small
>> adsl---> router ---lan----> PC
>>            with             (10.3)
>>           firewall
>>          192.168.1.1       192.168.1.12
>>
>>
>> I see these repeated messages on my 10.3 system:
>>
>> Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
>> MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1
>> DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39491
>> PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62
>> TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2525 DPT=53
>> LEN=42 ]
>> Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
>> MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1
>> DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39492
>> PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62
>> TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2528 DPT=53
>> LEN=42 ]
>> Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
>> MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1
>> DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39493
>> PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62
>> TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53
>> LEN=42 ]
>> Jan 15 14:16:55 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
>> MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1
>> DST=192.168.1.12 LEN=98 TOS=0x00 PREC=0xC0 TTL=255 ID=39500
>> PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=70
>> TOS=0x00 PREC=0x00 TTL=64 ID=62240 DF PROTO=UDP SPT=2533 DPT=53
>> LEN=50 ]
>> Jan 16 11:19:18 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
>> MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1
>> DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=20624
>> PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60
>> TOS=0x00 PREC=0x00 TTL=64 ID=41759 DF PROTO=UDP SPT=2696 DPT=53
>> LEN=40 ]
>> Jan 16 14:07:48 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
>> MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1
>> DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=1746
>> PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60
>> TOS=0x00 PREC=0x00 TTL=64 ID=44799 DF PROTO=UDP SPT=2737 DPT=53
>> LEN=40 ]
>> Jan 17 11:11:12 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
>> MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1
>> DST=192.168.1.12 LEN=123 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
>> PROTO=UDP SPT=3073 DPT=162 LEN=103
>> Jan 17 11:11:33 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
>> MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1
>> DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=34107
>> PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60
>> TOS=0x00 PREC=0x00 TTL=64 ID=51874 DF PROTO=UDP SPT=2900 DPT=53
>> LEN=40 ]
>>
>>
>> They started on Nov 4 (the day after I installed 10.3), and there is a
>> total of 112 entries.
>>
>> My first idea was that my router (192.168.1.1) was doing a DNS
>> query to my
>> linux machine (192.168.1.12), which is weird as the router uses a
>> remote
>> dns server as defined by my ISP. The linux machine does have a
>> local dns
>> server as cache and server.
>>
>> But then I noticed this part:
>>
>> PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107....
>>
>> The dest part in brackets is always the same, and it is a dns server
>> (ns1.isi.edu).
>>
>>
>> I don't know how to decipher this... what is it all about?
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
> For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
> For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
> For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx