[Firewall] Still trouble? UDP as well

Gustin Johnson gustin at meganerd.ca
Tue Mar 23 19:49:12 CET 2010


On Tue, Mar 23, 2010 at 11:26 AM, Roland Haeder <r.haeder at gmx.de> wrote:
> Hello,
>
> no, that was a legitimate connection which has been wrongly dropped. The
> source IP matches with the one of my setup-ed name server entries.
>
> Hmmm, or someone has spoofed that IP to poison DNS requests?

It can be difficult to tell from headers alone since without the 3-way
handshake, UDP is much easier to spoof (trivial actually).  I would
capture that traffic with tcpdump and look at it to see if it is
legitimate or not, then adjust your rules accordingly.


More information about the Firewall mailing list