DNS knocking on my Shorewall

I asked the owner of the SRC machine below what's happening here:

Aug 25 08:13:04 joseph kernel: Shorewall:net2allROP:IN=eth0 OUT= MAC=00:a0:cc:59:82:5e:00:ba:db:ee:fb:0b:08:00 SRC=128.181.5.11 DST=201.39.149.123 LEN=77 TOS=0x00 PREC=0x00 TTL=253 ID=6022 DF PROTO=UDP SPT=53 DPT=2898 LEN=57

His answer was that it looks like his machine is replying to my
machines DNS requests, and it's being blocked. Does this answer
make sense? I don't know enough DNS to evaluate it on my own.

My shorewall policy for the zone this is coming from is to DROP
anything that I don't explicitly let in. I trust the zone as
much as I'd trust anything -- it's my work, and they have a very
good track-record with me and their own firewall. Is it
reasonably safe to let in UDP port 53, which is "domain" in my
/etc/services?

Maybe letting in UDP port 53 isn't the right way to address this.
Is there a shorewall way to let in any packet that's a response
to a packet that I originated? Can I explicitly restrict that
"any" but have a policy to let in the other response packets?

Thanks....


--
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.

On Tue, 26 Aug 2003, Kevin wrote:

> I asked the owner of the SRC machine below what's happening here:
>
> Aug 25 08:13:04 joseph kernel: Shorewall:net2allROP:IN=eth0 OUT= MAC=00:a0:cc:59:82:5e:00:ba:db:ee:fb:0b:08:00 SRC=128.181.5.11 DST=201.39.149.123 LEN=77 TOS=0x00 PREC=0x00 TTL=253 ID=6022 DF PROTO=UDP SPT=53 DPT=2898 LEN=57
>
> His answer was that it looks like his machine is replying to my
> machines DNS requests, and it's being blocked. Does this answer
> make sense? I don't know enough DNS to evaluate it on my own.

It might be. You could use tcpdump to look at these packets.
$ /usr/sbin/tcpdump -n -s 1500 -p udp port 53

This should catch both outgoing and returning packets, which if his
explanation is correct, you should be able to match up.

I see lots of random dns queries trapped by my firewall. However these
have DST port 53, not SRC port 53.

It *might* be that your nameserver is sending these UDP queries and when
it gets no replies (because the firewall trapped them), it then uses TCP
for the DNS queries. I don't know if BIND or other name servers behave
like this, though.


> Maybe letting in UDP port 53 isn't the right way to address this.
> Is there a shorewall way to let in any packet that's a response
> to a packet that I originated?

Don't know about Shorewall, but it is trivially easy with IPTABLES.

Why use Shorewall anyway? Why not use a "standard" Linux distro
(RedHat, Debian, etc.)? I'm not trying to make a point here, this is a
genuine enquiry.

Whoever wrote:

> On Tue, 26 Aug 2003, Kevin wrote:
>
>> I asked the owner of the SRC machine below what's happening here:
>>
>> Aug 25 08:13:04 joseph kernel: Shorewall:net2allROP:IN=eth0 OUT=
>> MAC=00:a0:cc:59:82:5e:00:ba:db:ee:fb:0b:08:00 SRC=128.181.5.11
>> DST=201.39.149.123 LEN=77 TOS=0x00 PREC=0x00 TTL=253 ID=6022 DF PROTO=UDP
>> SPT=53 DPT=2898 LEN=57
>>
>> His answer was that it looks like his machine is replying to my
>> machines DNS requests, and it's being blocked. Does this answer
>> make sense? I don't know enough DNS to evaluate it on my own.
>
> It might be. You could use tcpdump to look at these packets.
> $ /usr/sbin/tcpdump -n -s 1500 -p udp port 53
>
> This should catch both outgoing and returning packets, which if his
> explanation is correct, you should be able to match up.
>
> I see lots of random dns queries trapped by my firewall. However these
> have DST port 53, not SRC port 53.
>
> It *might* be that your nameserver is sending these UDP queries and when
> it gets no replies (because the firewall trapped them), it then uses TCP
> for the DNS queries. I don't know if BIND or other name servers behave
> like this, though.
>
>
>> Maybe letting in UDP port 53 isn't the right way to address this.
>> Is there a shorewall way to let in any packet that's a response
>> to a packet that I originated?
>
> Don't know about Shorewall, but it is trivially easy with IPTABLES.
>
> Why use Shorewall anyway? Why not use a "standard" Linux distro
> (RedHat, Debian, etc.)? I'm not trying to make a point here, this is a
> genuine enquiry.

Shorewall is the firewall supplied with Mandrake 9.0.

Doug.
--
Registered Linux User No. 277548.
They say lightning never strikes twice in the same place. My typing is
about as accurate. Apologies for any typos that slip in. - Doug.

In article <Pine.LNX.4.44.0308261741480.623-100000@c941211-a>,
Whoever <(E-Mail Removed)> writes:
> Why use Shorewall anyway? Why not use a "standard" Linux distro
> (RedHat, Debian, etc.)? I'm not trying to make a point here, this is a
> genuine enquiry.

Shorewall is "standard" with Mandrake >= 9.0.

Good suggestion on the tcpdump -- I'll try that.

Thanks....

--
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.