[Firewall] Still trouble? UDP as well
gustin at meganerd.ca
Tue Mar 23 19:49:12 CET 2010
On Tue, Mar 23, 2010 at 11:26 AM, Roland Haeder <r.haeder at gmx.de> wrote:
> no, that was a legitimate connection which has been wrongly dropped. The
> source IP matches with the one of my setup-ed name server entries.
> Hmmm, or someone has spoofed that IP to poison DNS requests?
It can be difficult to tell from headers alone since without the 3-way
handshake, UDP is much easier to spoof (trivial actually). I would
capture that traffic with tcpdump and look at it to see if it is
legitimate or not, then adjust your rules accordingly.
More information about the Firewall