Notice that the source port is 53. This is DNS (AKA domain). It is
almost certainly legitimate. Looking at the IPchains rules on my box
(cable modem) the SuSE-FW-ILLEGAL-TARGET rule applies to packets to
the box that do not have the "correct" destination address. Try this:
iptables-save | grep -e "-j input_ext"
The -d address is what the firewall expects all incoming packets to
have as a destination address.
Try starting/restarting the firewall in ip_up.
HTH,
Jeffrey
Quoting Carlos E. R.
The 03.06.15 at 14:18, Anders Johansson wrote:
Let us know what you find out. I've suspected for a while that there is something subtly wrong in the SuSEfirewall, but I've never suffered enough from it to muster up the energy to research it :)
No luck :-(
My sequence of events is this:
Jun 19 14:11:34 nimrodel poll.tcpip: _NOT_ starting mail and news send/fetch Jun 19 14:11:34 nimrodel ip-up.local: --> Up ppp0 /dev/ttyS1 115200 L: 81.41.199.207 R: 80.58.197.103 Par: Jun 19 14:11:34 nimrodel ip-up.local: --> Waiting for tcpdump activation Jun 19 14:11:44 nimrodel ip-up.local: --> Launching fetch/send tasks now Jun 19 14:11:44 nimrodel ip-up.local.doit: --> Starting mail and news send/fetch, and fidonet poll (expensive) Jun 19 14:11:44 nimrodel postfix/postqueue[5739]: warning: unix_trigger: write to public/qmgr: Broken pipe
And I'm getting illegal packets (second connection on the day, so it is not always the first connection after booting):
Jun 19 14:11:33 nimrodel kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=198.41.0.10 DST=81.41.199.207 LEN=122 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=UDP SPT=53 DPT=1024 LEN=102 Jun 19 14:11:33 nimrodel kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=198.41.0.10 DST=81.41.199.207 LEN=124 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=UDP SPT=53 DPT=1024 LEN=104
But they are not logged by tcpdump, it is still one second earlier than tcpdump is called :-(
And I don't know who/what is sending the original request, because I start the send/receive sequence a full 10 seconds after the connection is established and tcpdump started.
I wonder if I can set tcpdump to log packets from all interfaces :-?