Am Thu, 01 May 2008 22:11:47 +0000 schrieb Greg Russell:

> I am trying to log all instances of --state NEW packets on our interface
> to the Internet, and am occasionally getting some UDP packets that match
> the logging criteria from DNS nameservers:

Have fun with that, so it's pretty easy to get your host load up.


> Is there any reason why a nameserver in /etc/resolv.conf would be sending
> me unsolicited UDP packets? The iptables rule that causes the logging is:

The DNS didn't send you an unsolicited packet, it just answered you DNS
query and that is a new packet (udp ist stateless).

> -A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 \
> --log-prefix UNSOLICITED:
>
> and the logged entry for the first instance above is:
>
> May 1 08:31:48 centos51 kernel: UNSOLICITED:IN=eth1 OUT=
> MAC=00:03:6d:17:df:1a:00:a0:ad:09:1d:88:08:00 SRC=148.78.249.202
> DST=148.78.x.y LEN=105 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53
> DPT=45236 LEN=85

Logging every packet could lead to a DOS.

cheers