Re: Re: debian repository on hit list
We must conclude that these packets are unclean. This would be a problem
with a remot fierwall or router, could it be the infamus TCP_ECN? Then
again I'd blame TCP_ECN for problems comunicating with a mars rover.
Since the tcpdump let us know it's only inbound packets the only other
posibly maching INPUT rule is the first one...
> Chain INPUT (policy DROP)
> target prot opt source destination
> UNCLEAN all -- anywhere anywhere unclean
>
> Chain UNCLEAN (2 references)
> target prot opt source destination
> LD all -- anywhere anywhere
>
> Chain LD (146 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning
> DROP all -- anywhere anywhere
>
I would let the ppl at progeny.com know of the problem. Tell them where
you got this unclean filter and who thay should talk to about the filter.
Also tell the ppl who made the filter about progeny.com, thay could be in
error.
Allow progeny.com to send you "unclean" packets. There should be an
option if not report a whislist bug. Adding the iptable rule your self by
"iptables -I UNCLEAN -p tcp -s rama.progeny.com -j ACCEPT". Also you
could add this to your /etc/network/interfaces...
up iptables -I UNCLEAN -p tcp -s rama.progeny.com -j ACCEPT || /bin/true
down ptables -D UNCLEAN -p tcp -s rama.progeny.com -j ACCEPT || /bin/true
--- Brent Elmer <webe3@myrealbox.com> wrote:
> The attachment has the iptables output.
>
> Brent
>
>
>
> On Thu, 2004-03-04 at 23:49, Mike Mestnik wrote:
> > Heh, what we have here is logging of http or ftp data packets. What
> dose
> > the low level(iptables) fierwall show I.E. "iptables -t
> > {nat,filter,mangle} -L".
> >
> > Port maches.
> > ny.com.www > l3.net.35109
> > in:ppp0 out: port:35109 source:rama.progeny.com
> >
> > Size also matches.
> > 17:25:33.064532 rama.progeny.com.www >
> > dialup-171.75.199.82.Dial1.SaintLouis1.Level3.net.35109: P
> > 59861:59998(137) ack 180 win 65535 (DF) (ttl 54, id 13486, len 177)
> > time:Mar 4 17:25:33 in:ppp0 out: port:35109 source:rama.progeny.com
> > dest:171.75.199.82 len:177
> > tos:0x00 protocol:tcp service:unknown
> >
> > And
> >
> > 17:25:35.734325 rama.progeny.com.www >
> > dialup-171.75.199.82.Dial1.SaintLouis1.Level3.net.35109: P
> > 69787:70218(431) ack 180 win 65535 (DF) (ttl 54, id 25790, len 471)
> > time:Mar 4 17:25:35 in:ppp0 out: port:35109 source:rama.progeny.com
> > dest:171.75.199.82 len:471
> > tos:0x00 protocol:tcp service:unknown
> >
> >
> > --- Brent Elmer <webe3@myrealbox.com> wrote:
> > > I used tcpdump in the following way:
> > > $tcpdump -a -vvv -i ppp0 host rama.progeny.com -w tcpdump.out
> > >
> > > then I did this:
> > > tcpdump -vvv -r tcpdump.out > tcpdump.readable
> > >
> > > I saved the firestarter hits to a file. The hits did contain
> > > rama.progeny.com hits. I don't know much about interpreting what is
> > > going on but here are the two files. Does this show anything or do
> I
> > > need to do something else?
> > >
> > > Thanks,
> > >
> > > Brent
> > >
> > >
> > > On Thu, 2004-03-04 at 16:55, Mike Mestnik wrote:
> > > > Use tcpdump to find ought more info about what is going on.
> > > >
> > > > --- Brent Elmer <webe3@myrealbox.com> wrote:
> > > > > I changed my repository from ftp://archive.progeny.com to
> > > > > http://archive.progeny.com in Synaptic. I still get a lot of
> hits
> > > for
> > > > > rama.progeny.com in firestarter during Synaptic downloading.
> The
> > > > > downloads stall a lot about the same time that firestarter
> reports
> > > the
> > > > > blocked hits from rama.progeny.com. Is there something else I
> can
> > > do?
> > > > >
> > > > > --
> > > > > Brent Elmer <webe3@myrealbox.com>
> > > > >
> > > >
> >
__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you?re looking for faster
http://search.yahoo.com
Reply to: