The 03.06.15 at 13:53, Carlos E. R. wrote:
The 03.06.13 at 23:13, Anders Johansson wrote:
I get illegal target on DNS reply packets from time to time when I restart the firewall. I'm not sure exactly what, but something gets messed up on a restart. I find that "rcnamed restart" makes it go away [...]
Ok, I have inserted this into my ip-up script:
/usr/sbin/tcpdump -i ppp0 -s0 -X -a -e -vvv "src or dst port 53" >> /root/captura.tcpdump
You must be right, it onnly happens at start, or sometimes. Look, I'm capturing a lot of trafic going to port 1024 (second time I fire up my modem after boot up): (outgoing queries) 13:55:28.100627 > ip 100: 243.Red-81-41-199.pooles.rima-tde.net.1024 > ns1.recol.es.domain: [udp sum ok] 24659+ [1au] PTR? 10.128.155.210.in-addr.arpa. ar: . OPT UDPsize=2048 (56) (DF) [tos 0x10] (ttl 64, id 16383, len 84) 0x0000 4510 0054 3fff 4000 4011 1dd3 5129 c7f3 E..T?.@.@...Q).. 0x0010 c195 0205 0400 0035 0040 850c 6053 0110 .......5.@..`S.. 0x0020 0001 0000 0000 0001 0231 3003 3132 3803 .........10.128. 0x0030 3135 3503 3231 3007 696e 2d61 6464 7204 155.210.in-addr. 0x0040 6172 7061 0000 0c00 0100 0029 0800 0000 arpa.......).... 0x0050 8000 0000 .... 13:55:30.108608 > ip 89: 243.Red-81-41-199.pooles.rima-tde.net.1024 > ramblas.red.retevision.es.domain: [udp sum ok] 44850+ PTR? 10.128.155.210.in-addr.arpa. (45) (DF) [tos 0x10] (ttl 64, id 16390, len 73) 0x0000 4510 0049 4006 4000 4011 925b 5129 c7f3 E..I@.@.@..[Q).. 0x0010 3e51 10c5 0400 0035 0035 3302 af32 0100 >Q.....5.53..2.. 0x0020 0001 0000 0000 0000 0231 3003 3132 3803 .........10.128. 0x0030 3135 3503 3231 3007 696e 2d61 6464 7204 155.210.in-addr. 0x0040 6172 7061 0000 0c00 01 arpa..... (incoming response) 13:55:30.588264 < ip 180: ramblas.red.retevision.es.domain > 243.Red-81-41-199.pooles.rima-tde.net.1024: [udp sum ok] 44850* q: PTR? 10.128.155.210.in-addr.arpa. 1/2/2 10.128.155.210.in-addr.arpa. PTR ns1.mex.ad.jp. ns: 128.155.210.in-addr.arpa. NS ns0.mex.ad.jp., 128.155.210.in-addr.arpa. NS ns1.mex.ad.jp. ar: ns0.mex.ad.jp. A ns0.mex.ad.jp, ns1.mex.ad.jp. A ns1.mex.ad.jp (136) (DF) (ttl 243, id 22132, len 164) 0x0000 4500 00a4 5674 4000 f311 c8a1 3e51 10c5 E...Vt@.....>Q.. 0x0010 5129 c7f3 0035 0400 0090 c7d8 af32 8580 Q)...5.......2.. 0x0020 0001 0001 0002 0002 0231 3003 3132 3803 .........10.128. 0x0030 3135 3503 3231 3007 696e 2d61 6464 7204 155.210.in-addr. 0x0040 6172 7061 0000 0c00 01c0 0c00 0c00 0100 arpa............ 0x0050 0151 8000 0f03 6e73 3103 6d65 7802 6164 .Q....ns1.mex.ad 0x0060 026a 7000 c00f 0002 0001 0001 5180 0006 .jp.........Q... 0x0070 036e 7330 c03d c00f 0002 0001 0001 5180 .ns0.=........Q. 0x0080 0002 c039 c054 0001 0001 0001 5180 0004 ...9.T......Q... 0x0090 d29b 8006 c039 0001 0001 0001 5180 0004 .....9......Q... 0x00a0 d29b 800a .... There are a lot more going to my port 1024, and no report shows on the firewall logs - except normal script kiddies probing me :-) -- Cheers, Carlos Robinson