Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] Re: Strange Log Message
Hi Richard,

On 2001.07.18 17:56:28 +0100 Richard Ibbotson wrote:

> The latest one says ..........
> output DENY ippp0 PROTO=17
> L=61 S=0x00 I=4974 F=0x4000  T=63 (#5)

This means that your firewall (rule 5) has blocked a TCP (proto 17)
packet, which would have gone out over ippp0 from you ( to
your ISP's nameserver.

The incrementing source port number is nothing to worry about in itself,
that is normal Linux behaviour.

> The source of the data packet would seem to be the local machine. So
> far it started at port 36552 earlier on and now it's at port 61555
> and still going up.
> Just can't understand where it's coming from on the local machine ?

You will have some process(es) running, which need to do name queries, (eg
sendmail, samba, etc etc...). In /etc/resolv.conf you have defined your
ISP's server, so all queries go to it.
The firewall rule (sensibly) stops the ISDN link being brought up
automatically - imagine how much cost you would have if each of those
packets had dialed your ISP...

Once you find which daemons are causing the packets, and if you find you
*need* them, then you will have to live with it. You could add a firewall
rule to block these packets and not log them, or try using the
/etc/ppp/ip-up script to rewrite resolve.conf as the isdn link comes up and
down. (or run bind as a local caching-nameserver - see DNS-howto for info)

I had this problem a while ago, and fudged around it untill I decide the
best way to fix it (and loads of other issues! ) was a DSL link :) hehehe!


> Thanks
> --
> Richard

Maf. King
Standby Exhibition Services


"It is easier to do a job right than to explain why you didn't."

- Martin Van Buren


< Previous Next >
Follow Ups