tarballed
October 24th, 2003, 16:52
A snip from my firewall log today:

[code:1:2f4cec0871]10/24/03 12:57 firewalld[108]: deny in eth0 73 udp 20 48 207.46.245.12 xxx.xxx.xxx.xxx 15233 53 (default)
10/24/03 12:57 firewalld[108]: deny in eth0 73 udp 20 48 207.46.245.12 xxx.xxx.xxx.xxx 15233 53 (default)
10/24/03 12:57 firewalld[108]: deny in eth0 73 udp 20 48 207.46.245.12 xxx.xxx.xxx.xxx 15233 53 (default)
10/24/03 12:57 firewalld[108]: deny in eth0 73 udp 20 48 207.46.150.13 xxx.xxx.xxx.xxx 58699 53 (default)
10/24/03 12:57 firewalld[108]: deny in eth0 73 udp 20 48 207.46.150.13 xxx.xxx.xxx.xxx 58699 53 (default)
10/24/03 12:57 firewalld[108]: deny in eth0 73 udp 20 48 207.46.150.13 xxx.xxx.xxx.xxx 58699 53 (default)[/code:1:2f4cec0871]

Take a look at who owns those IP's! Microsoft. Whats up with that?
Coming into port 53.
Tarballed

OBTW, im not hosting a public DNS server
Vile
October 27th, 2003, 17:26
How often are those in there? Maybe someone is trying to dos you using a spoofed address?

What are you using your firewall for? Maybe it is misconfigured or some domain name is pointed towards your DNS server?
v902
October 27th, 2003, 17:41
Someone messed up IdleScan options and you are the server? </random guess>

What OS? Open? Free? If it's Free then it's more likely, if Open no possibility, Free has very unrandom IPIDs'
tarballed
October 27th, 2003, 17:57
They came in just a couple of times, not a whole lot.

This particular firewall is a Watchguard, which is built off a Linux kernel I believe.

It was kinda funny I though. :)

Tarballed
bsdjunkie
October 27th, 2003, 21:44
Can you post full packet captures? Its kinda hard to tell much of anything with just a src going to port 53....
tarballed
October 28th, 2003, 13:36
Can you post full packet captures? Its kinda hard to tell much of anything with just a src going to port 53....

Im actually working on doing a Snort setup with this particular Firewall. It's a commercial Firewall (Watchguard) and they have no built in IDS. I contacted their Support and asked if snort would work. It will, but it requires a particular setup.

Specifically, I have to build a box (Old PII 400) and connect it with a "receive only" cable, connect it to hub to my Firewalls external interface. It's a PITA right now as I dont have time to fully do what I want. I keep having to d!ck around with Domino 6 and Lotus notes.

But, once its up, I can get more info.

Tarballed
ealwen
October 28th, 2003, 19:18
They know you run BSD and were just verifying.