[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] DNS, AOL, and IPChains - Oh My!

Subject: [cobalt-users] DNS, AOL, and IPChains - Oh My!
From: Paul Warner <pwarner@xxxxxxxxxxxxxxxxxx>
Date: Thu Jan 9 20:27:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Since configuring a firewall on a Raq4 that logs any packets that are
neither DENYed or ACCEPTed per a rule, I have noticed the following...

AOL's nameservers seem to have very odd behaviour.  They 'talk' to me on
odd, but regular port #'s as shown in this snippet:

Jan  9 18:40:13 aegis kernel: Packet log: input DENY eth0 PROTO=17
205.188.157.228:50 xxx.xxx.xxx.xxx:4649 L=135 S=0x00 I=17299 F=0x0000 T=47
(#62)
Jan  9 18:40:13 aegis kernel: Packet log: input DENY eth0 PROTO=17
205.188.157.226:50 xxx.xxx.xxx.xxx:4649 L=128 S=0x00 I=22479 F=0x0000 T=47
(#62)
Jan  9 18:40:13 aegis kernel: Packet log: input DENY eth0 PROTO=17
205.188.157.225:51 xxx.xxx.xxx.xxx:4649 L=135 S=0x00 I=55296 F=0x0000 T=47
(#62)
Jan  9 18:40:58 aegis kernel: Packet log: input DENY eth0 PROTO=17
64.12.51.143:51 xxx.xxx.xxx.xxx:4649 L=128 S=0x00 I=1498 F=0x0000 T=49 (#62)
Jan  9 18:56:05 aegis kernel: Packet log: input DENY eth0 PROTO=17
205.188.157.228:52 xxx.xxx.xxx.xxx:4649 L=135 S=0x00 I=36468 F=0x0000 T=47
(#62)
Jan  9 20:46:03 aegis kernel: Packet log: input DENY eth0 PROTO=17
205.188.157.226:50 xxx.xxx.xxx.xxx:4649 L=200 S=0x00 I=59145 F=0x0000 T=47
(#62)


dtc-ext4.ns.aol.com (205.188.157.228)
dtc-ext2.ns.aol.com (205.188.157.226)
dtc-ext1.ns.aol.com (205.188.157.225)
mtc-ext5.ns.aol.com (64.12.51.143)

They are ALWAYS trying port 4649 from their port 50-53.  Attempts from 53
make it through on an ACCEPT, the rest fall through to the 'catch-all'.
Another 'favourite' is my port 1981 from the same range.  Note also that the
same machine will later attempt contact to the same destination port from a
different (or same) port in the 50-53 range.

There are no 'strange' DNS issues with the server failing to resolve,
send/receive mail, etc.  and checkdns.com reports no errors on the domains
hosted on this box.

My Questions
============
# Am I dropping packets that are useful, or just noise?
# Why is it only AOL?
# Why does the 'random port > 1023' never seem to change?
# Is this a mis-configuration of DNS or IPChains on my part (other than to
log  and thereby cause grief and worry)?

FWIW, IANA lists the following for the 'odd' FROM/TO ports
    50 - Remote Mail Checking Protocol
    51 - IMP Logical Address Maintenance
    52 - XNS Time Protocol
  1981 - p2pQ
  4649 - unassigned

Thanks for any and all advice!

-- Paul

Follow-Ups:
- Re: [cobalt-users] DNS, AOL, and IPChains - Oh My!
  - From: Bruce Timberlake
- Re: [cobalt-users] DNS, AOL, and IPChains - Oh My!
  - From: Paul Warner

Prev by Date: Re: [cobalt-users] Raq4 - No control connection for command - please advise
Next by Date: Re: [cobalt-users] DNS, AOL, and IPChains - Oh My!
Previous by thread: Re: [cobalt-users] Raq4 - No control connection for command - please advise
Next by thread: Re: [cobalt-users] DNS, AOL, and IPChains - Oh My!

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index