I'm getting tons of denies on my firewall/Masq box on my DSL line which
is using IPChains to filter out almost everything. I want to make it
stop because it's filling up my logs. (No, I don't want to turn of
logging) I'm assuming it's doing a DNS query since it's coming from port
53, but don't really know why. My firewall box is a DNS server, but only
for my internal non-routable network. Anyone have any ideas?

Nov 22 08:02:27 maddog.matrix.comp kernel: Packet log: input DENY eth1
PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=161 S=0x00 I=64810 F=0x0000
T=47 (#32)
Nov 22 08:02:27 maddog.matrix.comp kernel: Packet log: input DENY eth1
PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64811 F=0x0000
T=47 (#32)
Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1
PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64812 F=0x0000
T=47 (#32)
Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1
PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=161 S=0x00 I=64813 F=0x0000
T=47 (#32)
Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1
PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64814 F=0x0000
T=47 (#32)
Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1
PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64815 F=0x0000
T=47 (#32)

This has been going on for a few days now and my log files are growing.
Any idea what the ch top-level domain is? Any idea what it's doing? I
assume it's trying to resolve an address of mine, but I'm blocking it.
Why doesn't it time out?


After a little bit of investigation I find out it's a SuSe Linux box and
has a LOT running. There's got to be a exploit in here somewhere...
# nmap -O -sS -v -v smtp.bycom.ch

Starting nmap V. 2.12 by Fyodor (fyodor at dhp.com, www.insecure.org/nmap/)
Host smtp.bycom.ch (217.24.32.10) appears to be up ... good.
Initiating SYN half-open stealth scan against smtp.bycom.ch
(217.24.32.10)
Adding TCP port 139 (state Firewalled).
Adding TCP port 22 (state Open).
Adding TCP port 53 (state Open).
Adding TCP port 21 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 138 (state Firewalled).
Adding TCP port 110 (state Open).
Adding TCP port 80 (state Open).
The SYN scan took 9 seconds to scan 1483 ports.
For OSScan assuming that port 21 is open and port 38683 is closed and
neither are firewalled
Interesting ports on smtp.bycom.ch (217.24.32.10):
Port    State       Protocol  Service
21      open        tcp        ftp
22      open        tcp        ssh
25      open        tcp        smtp
53      open        tcp        domain
80      open        tcp        http
110     open        tcp        pop-3
138     filtered    tcp        netbios-dgm
139     filtered    tcp        netbios-ssn

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=2124463 (Good luck!)

Sequence numbers: C11B739 C6C2B3E CCCC545 C94066C C82B80A CEBC354
Remote operating system guess: Linux 2.1.122 - 2.1.132; 2.2.0-pre1 -
2.2.2
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=206AAF)
T1(Resp=Y%DF=Y%W=7C38%ACK=S++%Flags=AS%Ops=MENNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=7C38%ACK=S++%Flags=AS%Ops=MENNTNW)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)


Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds

# telnet smtp.bycom.ch 25
Trying 217.24.32.10...
Connected to smtp.bycom.ch.
Escape character is '^]'.
220 ns1.bycom.ch ESMTP Sendmail 8.10.2/8.10.2/SuSE Linux 8.10.0-0.3; 

# telnet smtp.bycom.ch 110
Trying 217.24.32.10...
Connected to smtp.bycom.ch.
Escape character is '^]'.
+OK QPOP (version 2.53) at ns1.bycom.ch starting. 
<24291.974902011 at ns1.bycom.ch>
Wed, 22 Nov 2000 15:04:25 +0100

# ftp smtp.bycom.ch
Connected to smtp.bycom.ch.
220 ns1.bycom.ch FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.16) ready.
Name (smtp.bycom.ch:):

# nslookup - smtp.bycom.ch
Default Server:  smtp.bycom.ch
Address:  217.24.32.10

> ls bycom.ch
[smtp.bycom.ch]
 bycom.ch.                      server = ns1.bycom.ch
 bycom.ch.                      server = pdc.bycom.ch
 bycom.ch.                      217.24.32.11
 bycom.ch.                      217.24.32.19
 bycom.ch.                      217.24.32.139
 bycom.ch.                      217.24.32.12
 bsl-du-l9                      217.24.32.88
 bsl-bsl-dt00-loc               217.24.32.112
 smtp                           217.24.32.10
 bsl-bsl-st00-loc               217.24.32.110
 bslst00                        217.24.32.145
 bsl-wlf-pk00-loc               217.24.32.2
 bsldt00                        217.24.32.140
 bslma00                        217.24.32.169
 bslut00                        217.24.32.141
 bslgs00                        217.24.32.18
 bslad100                       217.24.32.156
 bslgs01                        217.24.32.21
 bsl-du1                        217.24.32.79
 mail                           217.24.32.10
 bslad300                       217.24.32.157
 bslsh00                        217.24.32.146
 bslpk00                        217.24.32.185
 bslme00                        217.24.32.154
 pdc                            217.24.32.11
 pdc                            217.24.32.139
 bsltb00                        217.24.32.148
 bslrr00                        217.24.32.150
 gc._msdcs                      217.24.32.139
 gc._msdcs                      217.24.32.11
 bslpdc                         217.24.32.12
 ns1                            217.24.32.10
 bslbkp00                       217.24.32.19
 bsl-wl-dt00                    192.168.0.111
 bsl-du-l10                     217.24.32.89
 bsl-du-l11                     217.24.32.90
 bsl-du-l12                     217.24.32.91
 bsl-du-l13                     217.24.32.92
 bsl-bsl-uu00-loc               217.24.32.1
 bslprt1                        192.168.0.200
 bsl-du-l14                     217.24.32.93
 bsl-du-l15                     217.24.32.94
 bslprt3                        192.168.0.202
 bsl-pdc                        217.24.32.152
 bsl-du-l16                     217.24.32.95
 bsl-du-l17                     217.24.32.96
 bslprt5                        192.168.0.204
 bslem00                        217.24.32.158
 bsl-du-l18                     217.24.32.97
 bsl-du-l20                     217.24.32.99
 ts00                           217.24.32.15
 bsl-du-l19                     217.24.32.98
 bsl-du-l21                     217.24.32.100
 bsl-du-l22                     217.24.32.101
 bslad200                       217.24.32.153
 bsl-du-l23                     217.24.32.102
 bsl-du-l24                     217.24.32.103
 bsl-du-l25                     217.24.32.104
 bsl-du-l26                     217.24.32.105
 bsl-du-l27                     217.24.32.106
 bsl-du-l30                     217.24.32.109
 bsl-du-l28                     217.24.32.107
 wlf-wl-pk00                    192.168.0.110
 bsl-du-l29                     217.24.32.108
 sirdir-piiid                   217.24.47.40
 bsl-bsl-dt00-rem               217.24.32.113
 abcfs00                        217.24.32.16
 bslad400                       217.24.32.159
 bsl-bsl-mci00                  217.24.32.1
 bsl-wlf-pk00-rem               217.24.47.33
 bsl-wl-bc00                    192.168.0.100
 bsl-wl-bc01                    192.168.0.101
 www                            217.24.32.14
 bslrc00                        217.24.32.155
 bslmf00                        217.24.32.143
 bsl-du-l1                      217.24.32.80
 bsl-bsl-me00-loc               217.24.32.111
 bsl-du-l2                      217.24.32.81
 bsl-du-l3                      217.24.32.82
 bsl-du-l4                      217.24.32.83
 bsl-du-l5                      217.24.32.84
 bsl-du-l6                      217.24.32.85
 bsl-du-l7                      217.24.32.86
 bsl-du-l8                      217.24.32.87