Bug 133599

Summary: SFW2-OUT-ERROR -- /var/log/firewall entries on a fresh SUSE Linux 10.0 system
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Bryce Nesbitt <bryce2>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: SuSE Linux 10.0   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Bryce Nesbitt 2005-11-12 22:30:03 UTC 
I've just recently installed SUSE Linux 10.0.  But every time I boot stuff ends up in the firewall log, and it looks like it is coming from my own computer (192.168.1.109)!!

There'a hardware firewall also, so nothing (except port 22 attempts) should be coming in:::::

Nov 12 12:57:05 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.1.109 DST=224.0.0.251 LEN=107 TOS=0x00 PREC=0x00 TTL=255 ID=8 DF PROTO=UDP SPT=5353 DPT=5353 LEN=87
Nov 12 12:57:37 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.1.109 DST=224.0.0.251 LEN=107 TOS=0x00 PREC=0x00 TTL=255 ID=9 DF PROTO=UDP SPT=5353 DPT=5353 LEN=87
Nov 12 13:12:39 linux kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.109 DST=202.3.177.35 LEN=446 TOS=0x00 PREC=0x00 TTL=64 ID=8877 DF PROTO=TCP SPT=8958 DPT=80 WINDOW=1728 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A0002A6BA06963400)
Nov 12 13:12:56 linux kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.109 DST=202.3.177.35 LEN=444 TOS=0x00 PREC=0x00 TTL=64 ID=30910 DF PROTO=TCP SPT=8999 DPT=80 WINDOW=1975 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A0002B73206964BF6)
Nov 12 13:13:13 linux kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.109 DST=202.3.177.35 LEN=440 TOS=0x00 PREC=0x00 TTL=64 ID=57440 DF PROTO=TCP SPT=8998 DPT=80 WINDOW=1979 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A0002C84D06964BD1)
Nov 12 13:13:38 linux kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.109 DST=202.3.177.35 LEN=445 TOS=0x00 PREC=0x00 TTL=64 ID=41688 DF PROTO=TCP SPT=9012 DPT=80 WINDOW=1728 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A0002E01806964DBB)

I've done a reverse DNS on the "DST" or destination of these packets and got lots of stuff, including web sites I have visited, but some I never have:

121.62.193.64.in-addr.arpa domain name pointer ptr-121-62-193-64.rev.skiplink.net.
131.211.141.196 -- 196.141.211.131.in-addr.arpa domain name pointer humbolt.leper.phil.uu.nl.
132.151.28.69.in-addr.arpa domain name pointer cds302.sjc.llnw.net.
1.32.240.216.in-addr.arpa domain name pointer idiom.com.
169.145.200.203.in-addr.arpa is an alias for 169.abtauto.145.200.203.in-addr.arpa.
169.abtauto.145.200.203.in-addr.arpa domain name pointer pcet.ac.in.
170.20.0.25 -- 25.0.20.170.in-addr.arpa domain name pointer cbs.com.
170.20.0.29 -- 29.0.20.170.in-addr.arpa domain name pointer videocgi.cbs.com.
181.87.73.216.in-addr.arpa domain name pointer eqvaadvip3.doubleclick.net.
186.79.218.66.in-addr.arpa domain name pointer p1w18.geo.scd.yahoo.com.
192.168.1.109 -- Host 109.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
192.168.1.116 -- Host 116.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
192.168.1.255 -- Host 255.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
202.148.94.24.in-addr.arpa domain name pointer 148bus202.tampabay.res.rr.com.
202.3.177.35 -- 35.177.3.202.in-addr.arpa domain name pointer 35-177.unigate.net.tw.
203.200.145.169 -- 169.145.200.203.in-addr.arpa is an alias for 169.abtauto.145.200.203.in-addr.arpa.
206.204.187.25 -- Host 25.187.204.206.in-addr.arpa not found: 3(NXDOMAIN)
207.241.224.241 -- 241.224.241.207.in-addr.arpa domain name pointer www.archive.org.
207.241.234.220 -- 220.234.241.207.in-addr.arpa domain name pointer ia300120.us.archive.org.
208.184.214.245 -- 245.214.184.208.in-addr.arpa domain name pointer 208.184.214.245.nextbus.com.
216.240.32.1 -- 1.32.240.216.in-addr.arpa domain name pointer idiom.com.
216.240.33.75 -- 75.33.240.216.in-addr.arpa domain name pointer www.obviously.com.
216.73.87.181 -- 181.87.73.216.in-addr.arpa domain name pointer eqvaadvip3.doubleclick.net.
220.234.241.207.in-addr.arpa domain name pointer ia300120.us.archive.org.
224.0.0.251 -- Host 251.0.0.224.in-addr.arpa not found: 3(NXDOMAIN)
241.224.241.207.in-addr.arpa domain name pointer www.archive.org.
245.214.184.208.in-addr.arpa domain name pointer 208.184.214.245.nextbus.com.
24.94.148.202 -- 202.148.94.24.in-addr.arpa domain name pointer 148bus202.tampabay.res.rr.com.
25.0.20.170.in-addr.arpa domain name pointer cbs.com.
29.0.20.170.in-addr.arpa domain name pointer videocgi.cbs.com.
35.177.3.202.in-addr.arpa domain name pointer 35-177.unigate.net.tw.
53.250.186.64.in-addr.arpa domain name pointer kagami.redwire.net.
64.186.250.53 -- 53.250.186.64.in-addr.arpa domain name pointer kagami.redwire.net.
64.193.62.121 -- 121.62.193.64.in-addr.arpa domain name pointer ptr-121-62-193-64.rev.skiplink.net.
64.40.144.141 -- 141.144.40.64.in-addr.arpa domain name pointer web6.websitesource.net.
69.28.151.132 -- 132.151.28.69.in-addr.arpa domain name pointer cds302.sjc.llnw.net.
75.33.240.216.in-addr.arpa domain name pointer www.obviously.com.
Host 109.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
Host 251.0.0.224.in-addr.arpa not found: 3(NXDOMAIN)

What do these messages mean, where can I find information on this in the SUSE help files, and should I be concerned?

Where can we learn exactly what these messages mean?
Comment 1 Ludwig Nussel 2005-11-14 11:09:12 UTC 
The SFW2-INext-DROP-DEFLT messages mentioning port 5353 are caused by mdnsd, multicast "echoes" from your own packages. Port 5353 is closed by default.

The port 80 SFW2-OUT-ERROR messages are strange but harmless. For some reason netfilter doesn't consider the packages NEW,ESTABLISHED,RELATED. Does it stop logging that if you restart SuSEfirewall2?
Comment 2 Bryce Nesbitt 2005-11-21 05:17:39 UTC 
If the mDNS port is closed by default, why does SUSE enable mDNSd by default?
Comment 3 Ludwig Nussel 2005-11-21 08:27:22 UTC 
for LAN use. External zone != LAN.