also sprach Blair Strang <bls@nanocorp.net.nz> [2005.03.15.1245 +0100]: > I am guessing the problem is elsewhere. What does > /proc/net/ip_conntrack say the kernel is expecting? The UDP "connection" is not listed. Someone else told me in private mail that DNS is special, but I do not see anything special about the following: 16:27:15.369276 217.233.52.92.62406 > 217.237.151.97.53: 21533+ A? debian.org. (28) (DF) 16:27:15.424481 217.237.151.97.53 > 217.233.52.92.62406: 21533 1/0/0 A 192.25.206.10 (44) The corresponding ip_contrack entry: udp 17 27 src=217.233.52.92 dst=217.237.151.97 sport=62406 dport=53 packets=1 bytes=67 src=217.237.151.97 dst=217.233.52.92 sport=53 dport=62406 packets=1 bytes=115 mark=0 use=1 This looks all good and fine. Whenever I get log entries generated by iptables, it seems that they are some sort of spurious responses by the servers, or else iptables would let them through. Of course right now there aren't any. However, I have seen this for years and always wondered... Maybe someone has a smart way to diagnose this? For now, I'll use -A INPUT -i ppp0 -p udp -m udp --sport 53 -j ULOG --ulog-prefix "[DNS in] " -A OUTPUT -o ppp0 -p udp -m udp --dport 53 -j ULOG --ulog-prefix "[DNS out] " -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --sport 53 -j ULOG --ulog-prefix "[spurious DNS] " Let's see what that brings... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature