Kevin:
Heya. Sorry for the late reply: as you can see in the
archives, there was a big discussion regarding unsolicited TCP
packets to port 53. Intentionally misconfigured packets, too,
ones set with both the SYN and ACK flags, as if your firewall
tried to initiate a connection. Your firewall would/should reply
with a SYN RST (I believe) and the response time from that
reply is what the load-balancing software is trying to measure.
Very annoying.
The really annoying part is that...most LEAF users
aren't even running DNS on their firewall or on their LAN. Sure,
we all *use* DNS, as clients, but my impression it that LEAF
is used more to protect a LAN of users than a LAN of servers.
Maybe that'd be a good poll for the LEAF site. :)
Anyhow...if you're not running a DNS server on your
firewall or on your LAN, you can safely ignore anything that
shows up on port 53. The rules would look something like:
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 53 -p udp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 53 -p tcp -j DENY
It used to be that only renegade DHCP and NetBIOS packets
needed to be explicitly filtered without logging, as they are so
terribly common and equally harmless. This annoying "DNS-based
load balancing scan" has, I think, moved into that category.
-Scott
> I need some help in not logging the following DNS error types:
>
> Packet log: input DENY ppp0 PROTO=6 64.37.200.46:41613 66.20.176.251:53 L=44
> S=0x00 I=0 F=0x0000 T=242 (#42)
>
> I am using the Eiger2beta with PPPoP from Ken on a two floppy disk set-up.
>
> I have a dsncache.lrp module running and have three IP's for the DNS servers
> to ensure these all find a way home.
>
> from /etc/network.conf
> DNS0=192.168.1.254
> DNS1=205.152.0.20
> DNS2=205.152.0.5
>
> What else is needed to help?
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
