This could be an internal machine querying aol.com dns server.. which is harmless.. can you show come tcpdumps of this? Was the source IP the aol.com address or was it just the destination.. I would be worried if it was the source IP and it was going out, not in. If it was coming in then don't panic though I woudl prefer to run a caching DNS server locally and block DNS going out. Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx -----Original Message----- From: Jeffrey Laramie [mailto:JALaramie@xxxxxxxxxxxxxxxxxxx] Sent: Wednesday, August 27, 2003 1:57 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: External IP addresses on internal network Hi all, I recently updated my configuration by modifying one of my filter INPUT rules to specify source IPs coming in from the LAN: iptables -t filter -A INPUT -p all -i $LAN_Interface -s $LAN_IP_Range -j Lan-Host Packets not meeting this condition (among others) are logged and dropped. The intent is to catch any internal packets coming from an external IP address. No sooner did I load this rule when I started logging packets with an AOL IP address coming from the LAN interface going to port 53. I have a small LAN with only a handful of PCs which I configured myself, so I'm a bit puzzled. Have I configured this wrong? Several users connect to AOL through the firewall so that's a possible cause, but I don't know why an AOL program would spoof IPs. Thoughts?
