Re: [Leaf-user] port 53 flooding my log
On Sun, 17 Feb 2002 21:00:58 -0500 Mike Sussman [EMAIL PROTECTED] wrote: I have observed several other port 53 floods. Am I the only one? tcp_128.121.10.146_53 tcp_128.242.105.34_53 tcp_129.250.244.10_53 tcp_203.81.45.254_53 tcp_209.157.68.18_53 tcp_213.38.75.193_53 No, you are not the only one. I have approx. 20 such entries in my /etc/network.conf and I seem to add one or two a month. Although going by the output in /viewfw it has been sort of quite the past couple of weeks. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] port 53 flooding my log
Message: 2 Date: Fri, 15 Feb 2002 10:14:52 -0800 From: Victor McAllister [EMAIL PROTECTED] To: leaf-user [EMAIL PROTECTED] Subject: Re: [Leaf-user] port 53 flooding my log GREGOR wrote: I'm using DCD, I set it up as firewall, with IP aliasing on eth0, DMZ switch=PRIVATE on eth2 and internal network on eth1.(thank's to bela,charles and ray). I've got tons of logs of hits on port 53 like the following examples : Since you are using DCD - try adding all the port 53 flood servers in SILENT_DENY. Here is a copy of my list - note that they are all on one line each machine separated by a space. I have modified my list. # grep SILENT_DENY /etc/network.conf SILENT_DENY=tcp_64.78.235.14_53 tcp_64.56.174.186_53 tcp_64.37.200.46_53 tcp_64.14.200.154_53 tcp_62.26.119.34_53 tcp_62.23.80.2_53 tcp_216.35.167.58_53 tcp_216.34.68.2_53 tcp_216.33.35.214_53 tcp_216.220.39.42_53 tcp_212.78.160.237_53 tcp_203.208.128.70_53 tcp_203.194.166.182_53 tcp_202.139.133.129_53 tcp_194.213.64.150_53 tcp_194.205.125.26_53 svi network ipfilter reload If it stops the log noise - then backup etc. Victor McAllister --__--__-- I have observed several other port 53 floods. Am I the only one? tcp_128.121.10.146_53 tcp_128.242.105.34_53 tcp_129.250.244.10_53 tcp_203.81.45.254_53 tcp_209.157.68.18_53 tcp_213.38.75.193_53 -- Mike Sussman [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] port 53 flooding my log
GREGOR wrote: I'm using DCD, I set it up as firewall, with IP aliasing on eth0, DMZ switch=PRIVATE on eth2 and internal network on eth1.(thank's to bela,charles and ray). I've got tons of logs of hits on port 53 like the following examples : Since you are using DCD - try adding all the port 53 flood servers in SILENT_DENY. Here is a copy of my list - note that they are all on one line each machine separated by a space. I have modified my list. # grep SILENT_DENY /etc/network.conf SILENT_DENY=tcp_64.78.235.14_53 tcp_64.56.174.186_53 tcp_64.37.200.46_53 tcp_64.14.200.154_53 tcp_62.26.119.34_53 tcp_62.23.80.2_53 tcp_216.35.167.58_53 tcp_216.34.68.2_53 tcp_216.33.35.214_53 tcp_216.220.39.42_53 tcp_212.78.160.237_53 tcp_203.208.128.70_53 tcp_203.194.166.182_53 tcp_202.139.133.129_53 tcp_194.213.64.150_53 tcp_194.205.125.26_53 svi network ipfilter reload If it stops the log noise - then backup etc. Victor McAllister ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] port 53 flooding my log
On Fri, 15 Feb 2002, GREGOR wrote: I'm using DCD, I set it up as firewall, with IP aliasing on eth0, DMZ switch=PRIVATE on eth2 and internal network on eth1.(thank's to bela,charles and ray). I've got tons of logs of hits on port 53 like the following examples : [...] I've search the mailing list archives and found these following extra lines to add to ipfilter.conf file : # New Port 53 filter start IP_LIST=`cat /etc/dns_floods` The above line should be two lines. for IP in $IP_LIST; do $IPCH -I input -j DENY -p tcp -s $IP/32 -d $EXTERN_IP/32 53 -i$EXTERN_IF I think you should have a space between the -i and $EXTERN_IF. done; unset IP #New Port 53 filter end I've created the */etc/dns_floods* file as instructed in the archive and also added some more IP#'s and then did *svi network reload*, but those hits don't seems to stop. Shell debugging tip: try the commands interactively to see if they have the desired effect. Note that the variables defined at the point where the script executes may not be defined at the command prompt, but you can manually replace the variables or in some cases source the definitions file (/etc/network.conf). --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user