From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oa0-f46.google.com (mail-oa0-f46.google.com [209.85.219.46]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id D6B1021F0BD for ; Fri, 25 Jan 2013 10:01:41 -0800 (PST) Received: by mail-oa0-f46.google.com with SMTP id h16so772218oag.19 for ; Fri, 25 Jan 2013 10:01:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=kUBkIW7lH4XVCvCr+a9n8f/9LXsfQ7GsYuzAYGewuUo=; b=UGhk+2k9KyuaF5/lZaIJe12low1z4VnOYDrI7J6AzcW1usco8tSo3xW9fa8inIOJy7 CBeXdM/pSSWnGknJjh/vrY1i5STwg6+0qldUsxJgFpqbZ2KzXCjIi03/Q4qd3YkE1TV2 52Utz54Za0dZ7MOSjt1pH3xsrcGwodwA1VaRHLHqEC6R/8bPgxFVAm+UfncyNxhp+UqP wU3nOyOgnWA0cQp3jYw5N3+bnZJmmD53LrWXwfssOU96yfsQk4D8Qm2P1GSF31L00i71 seyuTQHc339awXadoGM7UGppicNPc6NcPLAt2WKuDObMnpLCxXm2p6go5/gE5WMDHj/2 vDvQ== MIME-Version: 1.0 X-Received: by 10.60.3.193 with SMTP id e1mr5327503oee.39.1359136900394; Fri, 25 Jan 2013 10:01:40 -0800 (PST) Received: by 10.76.80.99 with HTTP; Fri, 25 Jan 2013 10:01:40 -0800 (PST) X-Originating-IP: [77.65.47.165] In-Reply-To: <5858.1359130931@sandelman.ca> References: <5858.1359130931@sandelman.ca> Date: Fri, 25 Jan 2013 19:01:40 +0100 Message-ID: From: Maciej Soltysiak To: Michael Richardson Content-Type: multipart/alternative; boundary=e89a8ff2563e26301a04d420b84e X-Gm-Message-State: ALoCoQkNFyDs4kW+SVOdBcMYGoWebX0U2WCI1u3S0fXjlKt0nUBDk7Ev4nUalZxGJSskCnZ4eMuG Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] arp for 0.0.0.0 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2013 18:01:42 -0000 --e89a8ff2563e26301a04d420b84e Content-Type: text/plain; charset=UTF-8 On 25 Jan 2013 17:23, "Michael Richardson" wrote: > It also seems that there is no control to keep dnsmasq from answering > on my ge00. I guess some trojans try to use me for DOS amplication by > asking for isc.org continuously? There is. Although dnsmasq listens on 0.0.0.0:53 and :::53 it is not responding on ge00. Thanks to list notinterface ge00 in /etc/config/dhcp This means that port 53 is open, but DNS is not accessible from ge00, see: solt@mkslnx004:~$ nmap -sV -p 53 A.B.C.D Starting Nmap 5.21 ( http://nmap.org ) at 2013-01-25 18:55 CET Nmap scan report for XXXXX (A.B.C.D) Host is up (0.018s latency). PORT STATE SERVICE VERSION 53/tcp open tcpwrapped Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds solt@mkslnx004:~$ nslookup kernel.org A.B.C.D ;; connection timed out; no servers could be reached If you want to close that down you could be drop all on ge00 by: iptables -I zone_wan -j DROP or just filter 53. Regards, Maciej --e89a8ff2563e26301a04d420b84e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On 25 Jan 2013 17:23, "Michael Richardson" <mcr@sandelman.ca> wrote:

> It also seems that there is no control to keep dnsmasq = from answering
> on my ge00. =C2=A0 =C2=A0I guess some trojans try to use me for DOS am= plication by
> asking for isc.org co= ntinuously?
There is.

Although dnsmasq listens on 0.0.0.0:53 and :::53 it is not responding on ge00.
T= hanks to list notinterface=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ge00 in /etc= /config/dhcp

This means that port 53 is open, but DNS is not accessible from ge00, see:<= /p>

solt@mkslnx004:~$ nmap -sV -p 53 A.B.C.D

Starting = Nmap 5.21 ( http://nmap.org ) at 2013-01-25= 18:55 CET
Nmap scan report for XXXXX (A.B.C.D)
Host is up (0.018s latency).
POR= T=C2=A0=C2=A0 STATE SERVICE=C2=A0=C2=A0=C2=A0 VERSION
53/tcp open=C2=A0 = tcpwrapped

Service detection performed. Please report any incorrect = results at http://nmap.org/submit/ = .
Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

solt@mkslnx004:~$ nslookup kernel.or= g A.B.C.D
;; connection timed out; no servers could be reached

If you want to close that down you could be drop all on = ge00 by: iptables -I zone_wan -j DROP

or just filter 53.<= /p>

Regards,
Maciej

--e89a8ff2563e26301a04d420b84e--