I have been getting literally tens of thousand of lines like the following in my syslog log file over a time span of less than a minute, although the DST IP address isn't always the same.


Apr 11 08:40:56 gopher kernel: [40316.825244] Shorewall:fw2loc:REJECT:IN= OUT=eth1 SRC=192.168.200.100 DST=68.87.77.130 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32771 DPT=53 LEN=44


I have Shorewall running and the check configuration seems to work appropriately. It is configured with two network interfaces with the address 192.168.200.100 in the error message above being the local interface for the private LAN.

The only DNS rule in Shorewall allows DNS entries from the public interface (net) to the Firewall.

I don't really know why I am getting this message in my log file. I don't know if this is a DOS attack, but the result is pretty much the same. My server is so busy logging these messages that it can't serve webpages and handle email.

That is not a DOS attack its your machine that is initiating those connections it seems like its trying to resolve names

Topdog,

If I understand you correctly, a correct course of action would be to add a rule to my Shorewall configuration to allow DNS traffic from the FW zone to the local zone?

The server in question here is running BIND 9 with split views. So it acts as the local DNS resolver for the clients on the network on the private view. It then also uses forwarders to my ISP's DNS servers for requests it can resolve itself.

Is this the problem then? Are LAN clients requesting a DNS lookup to my local DNS server, the server doesn't have it cached and therefore forwards to request to my ISP, gets the answer, but then Shorewall prohibits my server from talking to the LAN on the local interface?

Thanks.