DNS knocking on my Shorewall

DNS knocking on my Shorewall

Post by Kevi » Thu, 28 Aug 2003 04:39:15



I asked the owner of the SRC machine below what's happening here:

Aug 25 08:13:04 joseph kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:a0:cc:59:82:5e:00:ba:db:ee:fb:0b:08:00 SRC=128.181.5.11 DST=201.39.149.123 LEN=77 TOS=0x00 PREC=0x00 TTL=253 ID=6022 DF PROTO=UDP SPT=53 DPT=2898 LEN=57

His answer was that it looks like his machine is replying to my
machines DNS requests, and it's being blocked.  Does this answer
make sense?  I don't know enough DNS to evaluate it on my own.

My shorewall policy for the zone this is coming from is to DROP
anything that I don't explicitly let in.  I trust the zone as
much as I'd trust anything -- it's my work, and they have a very
good track-record with me and their own firewall.  Is it
reasonably safe to let in UDP port 53, which is "domain" in my
/etc/services?

Maybe letting in UDP port 53 isn't the right way to address this.
Is there a shorewall way to let in any packet that's a response
to a packet that I originated?  Can I explicitly restrict that
"any" but have a policy to let in the other response packets?

Thanks....

--
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.

 
 
 

DNS knocking on my Shorewall

Post by Whoeve » Thu, 28 Aug 2003 09:53:42



> I asked the owner of the SRC machine below what's happening here:

> Aug 25 08:13:04 joseph kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:a0:cc:59:82:5e:00:ba:db:ee:fb:0b:08:00 SRC=128.181.5.11 DST=201.39.149.123 LEN=77 TOS=0x00 PREC=0x00 TTL=253 ID=6022 DF PROTO=UDP SPT=53 DPT=2898 LEN=57

> His answer was that it looks like his machine is replying to my
> machines DNS requests, and it's being blocked.  Does this answer
> make sense?  I don't know enough DNS to evaluate it on my own.

It might be. You could use tcpdump to look at these packets.
$ /usr/sbin/tcpdump -n -s 1500 -p udp  port 53

This should catch both outgoing and returning packets, which if his
explanation is correct, you should be able to match up.

I see lots of random dns queries trapped by my firewall. However these
have DST port 53, not SRC port 53.

It *might* be that your nameserver is sending these UDP queries and when
it gets no replies (because the firewall trapped them), it then uses TCP
for the DNS queries. I don't know if BIND or other name servers behave
like this, though.

Quote:> Maybe letting in UDP port 53 isn't the right way to address this.
> Is there a shorewall way to let in any packet that's a response
> to a packet that I originated?  

Don't know about Shorewall, but it is trivially easy with IPTABLES.

Why use Shorewall anyway? Why not use a "standard" Linux distro
(RedHat, Debian, etc.)? I'm not trying to make a point here, this is a
genuine enquiry.

 
 
 

DNS knocking on my Shorewall

Post by Doug Laidla » Thu, 28 Aug 2003 13:12:02




>> I asked the owner of the SRC machine below what's happening here:

>> Aug 25 08:13:04 joseph kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
>> MAC=00:a0:cc:59:82:5e:00:ba:db:ee:fb:0b:08:00 SRC=128.181.5.11
>> DST=201.39.149.123 LEN=77 TOS=0x00 PREC=0x00 TTL=253 ID=6022 DF PROTO=UDP
>> SPT=53 DPT=2898 LEN=57

>> His answer was that it looks like his machine is replying to my
>> machines DNS requests, and it's being blocked.  Does this answer
>> make sense?  I don't know enough DNS to evaluate it on my own.

> It might be. You could use tcpdump to look at these packets.
> $ /usr/sbin/tcpdump -n -s 1500 -p udp  port 53

> This should catch both outgoing and returning packets, which if his
> explanation is correct, you should be able to match up.

> I see lots of random dns queries trapped by my firewall. However these
> have DST port 53, not SRC port 53.

> It *might* be that your nameserver is sending these UDP queries and when
> it gets no replies (because the firewall trapped them), it then uses TCP
> for the DNS queries. I don't know if BIND or other name servers behave
> like this, though.

>> Maybe letting in UDP port 53 isn't the right way to address this.
>> Is there a shorewall way to let in any packet that's a response
>> to a packet that I originated?

> Don't know about Shorewall, but it is trivially easy with IPTABLES.

> Why use Shorewall anyway? Why not use a "standard" Linux distro
> (RedHat, Debian, etc.)? I'm not trying to make a point here, this is a
> genuine enquiry.

Shorewall is the firewall supplied with Mandrake 9.0.

Doug.
--
Registered Linux User No. 277548.
They say lightning never strikes twice in the same place.  My typing is
about as accurate.  Apologies for any typos that slip in. - Doug.

 
 
 

DNS knocking on my Shorewall

Post by Kevi » Fri, 29 Aug 2003 02:27:41




> Why use Shorewall anyway? Why not use a "standard" Linux distro
> (RedHat, Debian, etc.)? I'm not trying to make a point here, this is a
> genuine enquiry.

Shorewall is "standard" with Mandrake >= 9.0.

Good suggestion on the tcpdump -- I'll try that.

Thanks....

--
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.

 
 
 

1. Losing DNS when restarting Shorewall - Mandrake 9

On my main machine [Mandrake 9, Pentium 166, 128MB RAM] I have a cable
modem, accessed through eth1 with a DHCP address and a LAN accessed
through eth0 with a fixed address of 192.168.0.1/24

Other machines on my LAN (1 Windows XP, 1 Linux at present) have
addresses of 192.168.0.x/24 (x=2,3..).

I set up masquerading (via iptables) and everything worked fine - the
Windows client has the DNS settings configured in network properties
and the Linux one via /etc/resolve.conf.

Clients can browse the net without problems and the firewall appears
to prevent outside access to my machines (PING, TelNet, FTP are all
barred but not HTTP).

So far so good.

However after running for over 3 months, I had to power down my main
PC for a hardware fix (floppy drive broke down).

When I restarted it, none of the clients could see the net (they could
PING external sites by IP address but not by name). This led me to
think that there was a block on DNS port traffic.

To cut a long story short, if I disable Shorewall (from the Mandrake
control panel) the clients work as before; attempts to break in from
ouside appear to fail - ie it looks as if the firewall is still there.
If I enable Shorewall -- no access.

I restored my shorewall settings (/etc/shorewall/*) from backup but
the same problems seem to occur.

I've tried to RTFM and also looking at sites on the net but I can't
see anything obviously wrong.

I know that it's entirely possible that the solution is staring me in
the face and I don't realise it, but if anyone else out there has had
similar problems and fixed them, please could they take pity on me
whilst i still have some vestiges of sanity left.

Thanks in advance

Andy

2. I know this is trivial, but...

3. Starting X knocks out kbd & mouse?

4. memleak detection tool (SCO)

5. Who's knocking at my door?

6. convex-dump restored on other unix

7. UNIX REVIEW knocks Solaris 2.4 x86

8. Compiling kernel problems...

9. "Linux knocked in OS study"

10. Knock off the FreeBSD vs Linux bullshit.

11. Biostar M7VKB (Athlon socket A) knocks out NIC after a heavy ftp session.

12. 98 knocked out my lilo

13. HylaFAX: knocked out in round 4 ... !