I'm getting tons of denies on my firewall/Masq box on my DSL line which is using IPChains to filter out almost everything. I want to make it stop because it's filling up my logs. (No, I don't want to turn of logging) I'm assuming it's doing a DNS query since it's coming from port 53, but don't really know why. My firewall box is a DNS server, but only for my internal non-routable network. Anyone have any ideas? Nov 22 08:02:27 maddog.matrix.comp kernel: Packet log: input DENY eth1 PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=161 S=0x00 I=64810 F=0x0000 T=47 (#32) Nov 22 08:02:27 maddog.matrix.comp kernel: Packet log: input DENY eth1 PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64811 F=0x0000 T=47 (#32) Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1 PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64812 F=0x0000 T=47 (#32) Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1 PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=161 S=0x00 I=64813 F=0x0000 T=47 (#32) Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1 PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64814 F=0x0000 T=47 (#32) Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1 PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64815 F=0x0000 T=47 (#32) This has been going on for a few days now and my log files are growing. Any idea what the ch top-level domain is? Any idea what it's doing? I assume it's trying to resolve an address of mine, but I'm blocking it. Why doesn't it time out? After a little bit of investigation I find out it's a SuSe Linux box and has a LOT running. There's got to be a exploit in here somewhere... # nmap -O -sS -v -v smtp.bycom.ch Starting nmap V. 2.12 by Fyodor (fyodor at dhp.com, www.insecure.org/nmap/) Host smtp.bycom.ch (217.24.32.10) appears to be up ... good. Initiating SYN half-open stealth scan against smtp.bycom.ch (217.24.32.10) Adding TCP port 139 (state Firewalled). Adding TCP port 22 (state Open). Adding TCP port 53 (state Open). Adding TCP port 21 (state Open). Adding TCP port 25 (state Open). Adding TCP port 138 (state Firewalled). Adding TCP port 110 (state Open). Adding TCP port 80 (state Open). The SYN scan took 9 seconds to scan 1483 ports. For OSScan assuming that port 21 is open and port 38683 is closed and neither are firewalled Interesting ports on smtp.bycom.ch (217.24.32.10): Port State Protocol Service 21 open tcp ftp 22 open tcp ssh 25 open tcp smtp 53 open tcp domain 80 open tcp http 110 open tcp pop-3 138 filtered tcp netbios-dgm 139 filtered tcp netbios-ssn TCP Sequence Prediction: Class=random positive increments Difficulty=2124463 (Good luck!) Sequence numbers: C11B739 C6C2B3E CCCC545 C94066C C82B80A CEBC354 Remote operating system guess: Linux 2.1.122 - 2.1.132; 2.2.0-pre1 - 2.2.2 OS Fingerprint: TSeq(Class=RI%gcd=1%SI=206AAF) T1(Resp=Y%DF=Y%W=7C38%ACK=S++%Flags=AS%Ops=MENNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=7C38%ACK=S++%Flags=AS%Ops=MENNTNW) T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds # telnet smtp.bycom.ch 25 Trying 217.24.32.10... Connected to smtp.bycom.ch. Escape character is '^]'. 220 ns1.bycom.ch ESMTP Sendmail 8.10.2/8.10.2/SuSE Linux 8.10.0-0.3; # telnet smtp.bycom.ch 110 Trying 217.24.32.10... Connected to smtp.bycom.ch. Escape character is '^]'. +OK QPOP (version 2.53) at ns1.bycom.ch starting. <24291.974902011 at ns1.bycom.ch> Wed, 22 Nov 2000 15:04:25 +0100 # ftp smtp.bycom.ch Connected to smtp.bycom.ch. 220 ns1.bycom.ch FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.16) ready. Name (smtp.bycom.ch:): # nslookup - smtp.bycom.ch Default Server: smtp.bycom.ch Address: 217.24.32.10 > ls bycom.ch [smtp.bycom.ch] bycom.ch. server = ns1.bycom.ch bycom.ch. server = pdc.bycom.ch bycom.ch. 217.24.32.11 bycom.ch. 217.24.32.19 bycom.ch. 217.24.32.139 bycom.ch. 217.24.32.12 bsl-du-l9 217.24.32.88 bsl-bsl-dt00-loc 217.24.32.112 smtp 217.24.32.10 bsl-bsl-st00-loc 217.24.32.110 bslst00 217.24.32.145 bsl-wlf-pk00-loc 217.24.32.2 bsldt00 217.24.32.140 bslma00 217.24.32.169 bslut00 217.24.32.141 bslgs00 217.24.32.18 bslad100 217.24.32.156 bslgs01 217.24.32.21 bsl-du1 217.24.32.79 mail 217.24.32.10 bslad300 217.24.32.157 bslsh00 217.24.32.146 bslpk00 217.24.32.185 bslme00 217.24.32.154 pdc 217.24.32.11 pdc 217.24.32.139 bsltb00 217.24.32.148 bslrr00 217.24.32.150 gc._msdcs 217.24.32.139 gc._msdcs 217.24.32.11 bslpdc 217.24.32.12 ns1 217.24.32.10 bslbkp00 217.24.32.19 bsl-wl-dt00 192.168.0.111 bsl-du-l10 217.24.32.89 bsl-du-l11 217.24.32.90 bsl-du-l12 217.24.32.91 bsl-du-l13 217.24.32.92 bsl-bsl-uu00-loc 217.24.32.1 bslprt1 192.168.0.200 bsl-du-l14 217.24.32.93 bsl-du-l15 217.24.32.94 bslprt3 192.168.0.202 bsl-pdc 217.24.32.152 bsl-du-l16 217.24.32.95 bsl-du-l17 217.24.32.96 bslprt5 192.168.0.204 bslem00 217.24.32.158 bsl-du-l18 217.24.32.97 bsl-du-l20 217.24.32.99 ts00 217.24.32.15 bsl-du-l19 217.24.32.98 bsl-du-l21 217.24.32.100 bsl-du-l22 217.24.32.101 bslad200 217.24.32.153 bsl-du-l23 217.24.32.102 bsl-du-l24 217.24.32.103 bsl-du-l25 217.24.32.104 bsl-du-l26 217.24.32.105 bsl-du-l27 217.24.32.106 bsl-du-l30 217.24.32.109 bsl-du-l28 217.24.32.107 wlf-wl-pk00 192.168.0.110 bsl-du-l29 217.24.32.108 sirdir-piiid 217.24.47.40 bsl-bsl-dt00-rem 217.24.32.113 abcfs00 217.24.32.16 bslad400 217.24.32.159 bsl-bsl-mci00 217.24.32.1 bsl-wlf-pk00-rem 217.24.47.33 bsl-wl-bc00 192.168.0.100 bsl-wl-bc01 192.168.0.101 www 217.24.32.14 bslrc00 217.24.32.155 bslmf00 217.24.32.143 bsl-du-l1 217.24.32.80 bsl-bsl-me00-loc 217.24.32.111 bsl-du-l2 217.24.32.81 bsl-du-l3 217.24.32.82 bsl-du-l4 217.24.32.83 bsl-du-l5 217.24.32.84 bsl-du-l6 217.24.32.85 bsl-du-l7 217.24.32.86 bsl-du-l8 217.24.32.87