Re: "connection timed out" problem
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: "connection timed out" problem

From: Skywise <into@oblivion.nothing.com>
Date: Sun Apr 02 2006 - 07:17:24 CEST



ibuprofin@painkiller.example.tld (Moe Trin) wrote in


news:slrne2uiov.avq.ibuprofin@compton.phx.az.us: 



> On Sun, 02 Apr 2006, in the Usenet newsgroup comp.security.firewalls, in


> article <122uaed4lg2r83c@corp.supernews.com>, Skywise wrote:


>>Skywise <into@oblivion.nothing.com> wrote in


>>news:122tth42j2ijv1c@corp.supernews.com: 


> 


>>> <Snipola of excellent info>


> 


> Yeah, I'm a *nix network administrator - I work with this stuff all the


> time. Hope it made sense to you.


> 


>>> I've used this firewall on other machines with no problem. Being


>>> on a new machine there's not many rules setup yet. I've looked


>>> aroudn in it's settings but didn't notice anything that might do


>>> this.


> 


> None the less, your description of the failure does indicate a firewall


> problem of some kind.  Re- the description I gave up-thread: Your system


> asked the DNS server to translate name to IP. Note the exact time this


> occurs. Then note the exact time that that server replies (match up port


> numbers to see which reply is which). Then note the exact time of the


> ICMP Port Unreachable. If you can see inside that ICMP packet, it has


> the addresses and port numbers (it actually has at least the IP header


> of 20+ bytes and the first 8 bytes of the datagram which would in this


> case be the entire UDP header).  What I'm guessing is that the name


> server is slow (say more than a second - perhaps more than five


> seconds), and the firewall code is rejecting it.



After reading your dissertation earlier I looked closely at some


captured packets. I understood what you were describing and could


easily see how it was working.



Here's a summarized example from a typical capture showing just the


DNS stuff:



time            source ip     port dest. ip      port proto info


18:36:27.953125 66.159.232.77 1272 66.51.205.100   53  DNS  www.iris.edu


18:36:28.953125 66.159.232.77 1272 66.51.206.100   53  DNS  www.iris.edu


18:36:29.546875 66.51.205.100   53 66.159.232.77 1272  DNS  128.95.166.129


18:36:30.437500 66.51.206.100   53 66.159.232.77 1272  DNS  128.95.166.129


18:36:30.437500 66.159.232.77   53 66.51.206.100 1272 ICMP  Unreachable



In typing this out, I see that my system goes to the first DNS, then


1 second later goes to the second. I get the reply to the first DNS


less than two seconds after the request, and the second replay is also


received less than two seconds after the request, but is immediately


folowed with the "destination unreachable".



Should not the system be waiting longer than 1 second before going to


the second DNS? This may be related to some non-default and missing


registry keys that I mentioned in my post to Sebastion.



<Snipola>



> I'm making an assumption by your use of ethereal that you would have


> noticed that the packets are actually using the right interface. Some of


> the anti-malware stuff has been known to stick hostnames into the hosts


> file (I dunno - c:\windoze\hosts or c:\winnt\system32\drivers\hosts)


> with a 127.0.0.1 address to block access to those remote systems.



My hosts file only contains one entry,



127.0.0.1       localhost



>>I'm really thinking there's some sort of "system level" problem.


>>Something in Windows' networking settings. Oh, and in case it


>>wasn't clear before, this is a dial up connection.


> 


> OK - a dialup means you'll get a new IP address every time you dial in,


> so your posting the output of "ipconfig /all" isn't going to expose you


> to anything - you won't be using that address for a while.



Windows 2000 IP Configuration



     Host Name . . . . . . . . . . . . : heart-of-gold-6


     Primary DNS Suffix  . . . . . . . : 


     Node Type . . . . . . . . . . . . : Broadcast


     IP Routing Enabled. . . . . . . . : No


     WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



     Media State . . . . . . . . . . . : Cable Disconnected


     Description . . . . . . . . . . . : Linksys LNE100TX(v5) Fast Ethernet


                                         Adapter


     Physical Address. . . . . . . . . : 00-04-5A-72-72-90



PPP adapter DSL Extreme - Cypress:



     Connection-specific DNS Suffix  . : 


     Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface


     Physical Address. . . . . . . . . : 00-53-45-00-00-00


     DHCP Enabled. . . . . . . . . . . : No


     IP Address. . . . . . . . . . . . : 66.159.232.77


     Subnet Mask . . . . . . . . . . . : 255.255.255.255


     Default Gateway . . . . . . . . . : 66.159.232.77


     DNS Servers . . . . . . . . . . . : 66.51.205.100


                                         66.51.206.100


     NetBIOS over Tcpip. . . . . . . . : Disabled



The DNS servers were set by me in TCP/IP setup and are those


specified by my ISP.



BTW, have you been following my convo with Sebastian?



Brian



-- 
http://www.skywise711.com - Lasers, Seismology, Astronomy, Skepticism
Seismic FAQ: http://www.skywise711.com/SeismicFAQ/SeismicFAQ.html
Quake "predictions": http://www.skywise711.com/quakes/EQDB/index.html
Sed quis custodiet ipsos Custodes?


Received on Mon May  1 01:04:08 2006