Charlie wrote: > Howdy; > > I'm not certain whether I have a problem; Shaw FibreLink (my cable/broadband > ISP) has a problem, or if we both do. I apologize for the length of this > message but I don't know how else to show the information that may let some > one help me figure this out. > > Starting some time last night the two DNS servers that have always been used > started attempting to connect to my box. Lease is up? Whatever, the firewall > blocked it and I didn't think anything of it. But now when I try to surf to > some web sites I get a time out connecting or unknown host message, as though > there was no DNS server to query for the address to connect to. Also repeated > blocks of the two IPs that are the DNS server addresses. > > First 3 untoward entries (time is MDT AM): > > May 26 12:10:37 h24-68-xxx-xx kernel: auditIN=eth0 OUT= > MAC=00:a0:0c:c1:d1:b6:00:00:77:8f:32:bc:08:00 SRC=24.70.95.195 > DST=24.68.xxx.xx LEN=32 TOS=0x00 PREC=0x00 TTL=253 ID=18609 DF PROTO=ICMP > TYPE=8 CODE=0 ID=282 SEQ=56796 > > May 26 12:10:37 h24-68-xxx-xx kernel: PUB_IN DROP 2IN=eth0 OUT= > MAC=00:a0:0c:c1:d1:b6:00:00:77:8f:32:bc:08:00 SRC=24.70.95.195 > DST=24.68.xxx.xx LEN=32 TOS=0x00 PREC=0x00 TTL=253 ID=18609 DF PROTO=ICMP > TYPE=8 CODE=0 ID=282 SEQ=56796 > > May 26 12:10:38 h24-68-xxx-xx kernel: PUB_IN DROP 4 IN=eth0 OUT= > MAC=00:a0:0c:c1:d1:b6:00:00:77:8f:32:bc:08:00 SRC=24.70.95.195 > DST=24.68.xxx.xx LEN=351 TOS=0x00 PREC=0x00 TTL=253 ID=18610 DF PROTO=UDP > SPT=67 DPT=68 LEN=331 > > Also the most recent two log entries from today when I had difficulty > reaching web sites (time is MDT PM): > > May 26 12:24:17 h24-68-xxx-xx kernel: PUB_IN DROP 4 IN=eth0 OUT= > MAC=00:a0:0c:c1:d1:b6:00:00:77:8f:32:bc:08:00 SRC=24.70.95.212 > DST=24.68.xxx.xx LEN=61 TOS=0x00 PREC=0x00 TTL=253 ID=12133 DF PROTO=UDP > SPT=53 DPT=32770 LEN=41 > > May 26 12:24:27 h24-68-xxx-xx kernel: PUB_IN DROP 4 IN=eth0 OUT= > MAC=00:a0:0c:c1:d1:b6:00:00:77:8f:32:bc:08:00 SRC=24.70.95.212 > DST=24.68.xxx.xx LEN=91 TOS=0x00 PREC=0x00 TTL=253 ID=12134 DF PROTO=UDP > SPT=53 DPT=32770 LEN=71 > > Strangest part of this is that while I was running InteractiveBastille to set > the firewall those two IPs were the DNS server entries that I entered. I mean > the 24.70.95.212 and 24.70.95.195. > > Have I broken something unbeknownst to me by accident, or is the whole > bleedin' system going insane because of vulnerabilities in MS bug-ware? > > Thanks for any suggestions and once again sorry for the length of this > missive. >
Charles, Try setting up a rule on the INPUT chain to allow your ISP to communicate with your named server and see if this clears up. I had the same situation before, however my log entries differed somewhat from yours. I'm not completely sure that this is the case for you. I don't recall seeing that the packets were showing up on the PUB_IN chain, unless thats the way you've got it setup on purpose. iptables -A INPUT -p udp --dport 53 -s 24.70.95.195 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -s 24.70.95.195 -j ACCEPT You can add these two rules from the command line as root and then watch your syslog to see if the kernel continues to log or not. Mark
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
