Why are Exetel dns trying to access port 50013 ?

Wired and wireless home networking
Post Reply
petemoss
Posts: 192
Joined: Sat Sep 30, 2006 3:22 pm

Why are Exetel dns trying to access port 50013 ?

Post by petemoss » Mon Aug 22, 2011 4:36 pm

Hi,

As the subject reads, why are Exetel domain name servers trying to access port 50013 ? The firewall logs ..

Aug 22 16:00:26 firewall:info: 4109.564 Blocked Prot=17, 220.233.0.3:53 > 220.233.*.*:50013 -Disallowed Destination IP

Aug 22 16:00:26 firewall:info: 4109.574 Blocked Prot=17, 220.233.0.4:53 > 220.233.*.*:50013 -Disallowed Destination IP

Please explain.

Pete

User avatar
Dazzled
Volunteer Site Admin
Posts: 5999
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Why are Exetel dns trying to access port 50013 ?

Post by Dazzled » Mon Aug 22, 2011 5:52 pm

Pete, name servers commonly exchange data between a high port on the client and port 53 on the server. The server replies to the source IP and port. I don't know why the router block occurred , but netstat will reveal the ports you are using, see eg, http://www.linuxhowtos.org/Network/netstat.htm

You might find sudo iftop handy (use Synaptic). It runs in the terminal - you can toggle source and dest port display with (capital) S and D.

PS That looks like a Billion log. Are you running an extra firewall?

petemoss
Posts: 192
Joined: Sat Sep 30, 2006 3:22 pm

Re: Why are Exetel dns trying to access port 50013 ?

Post by petemoss » Mon Aug 22, 2011 9:24 pm

Dazzled, thanks for your reply. I have NAT enabled, which from my very limited understanding, 'works' when there is a request from the source initially. If there is no source port initiating the request, then the destination port shouldn't send back an ACK or whatever it sends back (see I said my knowledge was minor on this).

Anyway, what I'm trying to say is the only way it will get in the firewall logs, is when the source did NOT initiate the request. Sure, for dns the source must initiate the request, but the logging appears for a different port number maybe ??

I tried all those commands from the linux 'howtos' , and could see some high port numbers from the source. Yes, it is a Billion log, a BiPAC 7404VGPX. The Linux/Ubuntu isn't running a firewall at all, nothing in iptables,etc. I rely on the routers firewall completely.

User avatar
Dazzled
Volunteer Site Admin
Posts: 5999
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Why are Exetel dns trying to access port 50013 ?

Post by Dazzled » Mon Aug 22, 2011 9:58 pm

My thoughts are that you made a standard outgoing name server request and the reply was blocked by an incoming firewall rule in the Billion. Firewalls usually have separate rules for incoming and outgoing packets.

NAT is simple and sufficient, router iptables will normally: "ACCEPT all -- ppp_8_35_1 any anywhere anywhere state RELATED,ESTABLISHED" , basically, connections you initiated; but many Billions, such as yours, have some more rules. If you have one of those additional Billion firewall rules running I'd consider killing it. They put these features in mainly because of Windows insecurity. The guff is at p68 & onwards in the user manual.

Iftop is worth looking at closely as it can illuminate all sorts of internet activity. Use the H toggle to see keys for other forms of display. Running it in the terminal keeps the overhead very low, but the "look" is clunky.

PS: default Ubuntu has virtually no firewall. There are other forms of security. The router usually keeps out intruder attacks. If you want to add rules, use firestarter or ufw, but most home users don't bother. Eg, https://help.ubuntu.com/10.10/keeping-s ... ewall.html

petemoss
Posts: 192
Joined: Sat Sep 30, 2006 3:22 pm

Re: Why are Exetel dns trying to access port 50013 ?

Post by petemoss » Mon Aug 22, 2011 10:12 pm

Thanks Dazzled.

The rules say that port 53 is open outbound, for both UDP and TCP. The logs say 'Blocked Prot=17' which is UDP, so it seems covered. I may have to chase it up on the Billion forums.

I have the dns specified manually, and Obtain DNS automatically box is unchecked. Maybe I should try checking that box and seeing what happens.

PS: I just saw your 'PS'. After much hair pulling out with both Firestarter and UFW/GUFW, I am SO glad to now have a router, where all the firewall side and ICS is handled in the one spot.

Post Reply