https://bugzilla.novell.com/show_bug.cgi?id=816400 https://bugzilla.novell.com/show_bug.cgi?id=816400#c1 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |carlos.e.r@opensuse.org --- Comment #1 from Marcus Meissner 2013-04-22 15:41:23 UTC --- how often does it happen? minutes? hours? We would need some kind of network dump I fear. run: # tcpdump -i eth0 port 53 or icmp -w foo.pcap and when such an entry happens, use: # tcpdump -r foo.pcap > foo.lst and get the lines with ICMP and the DNS query from it. (do not attach "foo.pcap" file as it contains the domain names you looked up. You could mail it to me offline if you want.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=816400 https://bugzilla.novell.com/show_bug.cgi?id=816400#c3 Carlos Robinson changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|carlos.e.r@opensuse.org | --- Comment #3 from Carlos Robinson 2013-04-22 22:07:39 UTC --- I had one event: <0.4> 2013-04-22 17:51:57 Telcontar kernel - - - [1655721.533300] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=58829 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.254 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=12985 PROTO=UDP SPT=4714 DPT=53 LEN=44 ] <0.4> 2013-04-22 17:51:57 Telcontar kernel - - - [1655721.533730] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=58830 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.254 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=12986 PROTO=UDP SPT=35688 DPT=53 LEN=44 ] I looked at the dump about that time, and I saw this: 17:49:32.776919 IP router.domain > Telcontar.valinor.7587: 12449 1/0/0 PTR l2.nstld.com. (70) 17:51:24.156929 IP router > Telcontar.valinor: ICMP net wi-in-f108.1e100.net unreachable, length 93 17:51:24.750672 IP router > Telcontar.valinor: ICMP net wi-in-f108.1e100.net unreachable, length 93 and several more, till it works again about here: 17:51:59.287256 IP Telcontar.valinor.33412 > ns1.dyndns.org.domain: 58119 [1au] AAAA? checkip.dyndns.org. (47) 17:51:59.287355 IP Telcontar.valinor.26216 > ns1.dyndns.org.domain: 16483 [1au] A? checkip.dyndns.org. (47) 17:51:59.535613 IP ns1.dyndns.org.domain > Telcontar.valinor.33412: 58119*- 1/13/1 CNAME checkip.dyndns.com. (290) 17:51:59.536049 IP Telcontar.valinor.56113 > router.domain: 46152+ AAAA? checkip.dyndns.com. (36) 17:51:59.539750 IP ns1.dyndns.org.domain > Telcontar.valinor.26216: 16483*- 1/13/1 CNAME checkip.dyndns.com. (290) 17:51:59.540046 IP Telcontar.valinor.vrtp > router.domain: 39096+ A? checkip.dyndns.com. (36) 17:51:59.599778 IP router.domain > Telcontar.valinor.56113: 46152 0/1/0 (113) 17:51:59.605738 IP router.domain > Telcontar.valinor.vrtp: 39096 4/0/0 A 216.146.39.70, A 216.146.43.70, A 91.198.22.70, A 216.146.38.70 (100) 17:51:59.884315 IP Telcontar.valinor.56515 > router.domain: 44660+ AAAA? imap.gmail.com. (32) I then looked at my router log, and it so happens that my ADSL connection went down at precisely that interval: <1.2> 2013-04-22 17:51:21 router klogd - - - ADSL link down <3.2> 2013-04-22 17:51:23 router pppd 433 - - Clear IP addresses. Connection DOWN. <3.2> 2013-04-22 17:51:23 router pppd 433 - - Clear IP addresses. PPP connection DOWN. ... <3.2> 2013-04-22 17:51:57 router pppd 433 - - Received valid IP address from server. Connection UP. The checkip.dyndns.com query is because I have a process triggered by rsyslogd on that message to find out and log my external IP, like this: <5.4> 2013-04-22 17:51:59 Telcontar router - - - Logging the current IP= 83.53.140.230 My adsl also went down at this other time (before the tcpdum was activated): <5.4> 2013-04-22 14:38:19 Telcontar router - - - Logging the current IP= 79.155.197.215 <5.4> 2013-04-22 15:02:50 Telcontar router - - - Logging the current IP= 79.155.197.215 and at those intervals I have several entries in my firewall log: <0.4> 2013-04-22 14:38:04 Telcontar kernel - - - [1644088.407153] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=91 TOS=0x00 PREC=0xC0 TTL=255 ID=26276 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.254 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=10423 PROTO=UDP SPT=28960 DPT=53 LEN=43 ] <0.4> 2013-04-22 14:38:11 Telcontar kernel - - - [1644095.607752] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=91 TOS=0x00 PREC=0xC0 TTL=255 ID=26284 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.254 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=10429 PROTO=UDP SPT=62071 DPT=53 LEN=43 ] <0.4> 2013-04-22 15:02:47 Telcontar kernel - - - [1645572.140104] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=63545 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.254 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=10733 PROTO=UDP SPT=47089 DPT=53 LEN=44 ] <0.4> 2013-04-22 15:02:47 Telcontar kernel - - - [1645572.140541] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=63546 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.254 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=10734 PROTO=UDP SPT=45834 DPT=53 LEN=44 ] So it looks that those events happen when my ADSL link goes down. I may check more events to find out if it is always the case or not. I'm using local DNS server (bind) in my openSUSE machine. It has: forwarders { 192.168.1.1; }; forward first; and it is the router at that IP who queries the DNS of my ISP. I can email you the tcpdump later. Do you want the raw file, or the one converted to text? If the text suffices, I can clip the section of the event, an add it to the bug, I don't see there any entry I want secret. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=816400 https://bugzilla.novell.com/show_bug.cgi?id=816400#c5 --- Comment #5 from Marcus Meissner 2013-04-25 13:36:23 UTC --- the raw file... meissner@suse.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=816400 https://bugzilla.novell.com/show_bug.cgi?id=816400#c7 --- Comment #7 from Carlos Robinson 2013-04-30 23:52:51 UTC --- The "80.58.61.254" IP is my ISP DNS server. The tcpdump does not see it, because my machine queries the DNS server in the router, has no knowledge of which are the ISP servers. I sent you the raw file just now. Sorry, but as the bug was not marked "needinfo" it did not come in my radar as "things to be done". I did not even get the information emails from Bugzilla! I noticed the activity here because I chanced to refresh the page. In fact, I just added an entry to another Bugzilla, and I got no email. Is something broken on Bugzilla? My email is working, I just tested it. I have this rule in the firewall config: FW_TRUSTED_NETS="192.168.1.1,udp,syslog 192.168.1.1,icmp ..." so supposedly the icmp package should be accepted even if unrelated :-? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=816400 https://bugzilla.novell.com/show_bug.cgi?id=816400#c Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |carlos.e.r@opensuse.org -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=816400 https://bugzilla.novell.com/show_bug.cgi?id=816400#c10 --- Comment #10 from Marcus Meissner 2013-05-03 08:00:16 UTC --- https://bugzilla.novell.com/userprefs.cgi , Email Preferences ... check there. I actually spent several hours trying to understand both this problem and (more of that) the code that handles ICMP in the NAT/Masquerading case and firewalling. I do not have the full image yet either, as the Linux code is a maze. The mailinglist posts / guesses were just shots in the dark though, the problem is more complicated. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=816400 https://bugzilla.novell.com/show_bug.cgi?id=816400#c12 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #12 from Marcus Meissner 2013-05-06 08:18:53 UTC --- So in the end after my research and reviews I think they are harmless artefacts and should not hinder your (or any others) setups as-is. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.