From owner-freebsd-questions@FreeBSD.ORG Thu Dec 30 17:23:54 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36FE516A4CE for ; Thu, 30 Dec 2004 17:23:54 +0000 (GMT) Received: from mr.tuwien.ac.at (mr1-n.kom.tuwien.ac.at [128.131.2.109]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F74943D3F for ; Thu, 30 Dec 2004 17:23:53 +0000 (GMT) (envelope-from e0025265@student.tuwien.ac.at) Received: from webmail.zserv.tuwien.ac.at (lps.ben.tuwien.ac.at [193.170.74.11]) by mr.tuwien.ac.at (8.12.10/8.12.8) with SMTP id iBUHNnNh018203 for ; Thu, 30 Dec 2004 18:23:49 +0100 (MET) MIME-Version: 1.0 X-Mailer: V-webmail 1.5.1 ( http://www.v-webmail.co.uk/ ) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-ID: Date: Thu, 30 Dec 2004 18:23:49 +0100 From: "Florian Hengstberger" To: FreeBSD mailinglist X-Vwebmail-Auth: e0025265@stud3.tuwien.ac.at X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Subject: Hostname lookups? (tcpdump output) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Dec 2004 17:23:54 -0000 Hi! I'm currently keeping track off all packets comming from my ISP using tcpdump. I have a limited transfer rate and I'm wondering why there's still (around 100KB per min) traffic although I have no network connections open to the outside world. So netstat gives me: Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 lazarus.49201 hpat989.external.http TIME_WAIT tcp4 0 0 lazarus.49199 66.102.9.104.http ESTABLISHED tcp4 0 0 localhost.smtp *.* LISTEN udp4 0 0 localhost.49158 localhost.ntp udp4 0 0 localhost.ntp *.* udp4 0 0 lazarus.ntp *.* When I run tcpdump I get the following: 18:15:20.016995 arp who-has 62.116.56.99 tell 62.116.56.1 18:15:20.298713 lazarus.home.49562 > ns1.wwpa.com.domain: 46387+ PTR? 99.56.116.62.in-addr.arpa. (43) 18:15:20.347945 ns1.wwpa.com.domain > lazarus.home.49562: 46387 NXDomain* 0/0/0 (43) 18:15:20.348224 lazarus.home.49563 > ns1.wwpa.com.domain: 46388+ PTR? 1.56.116.62.in-addr.arpa. (42) 18:15:20.388817 ns1.wwpa.com.domain > lazarus.home.49563: 46388 NXDomain* 0/0/0 (42) 18:15:21.388378 lazarus.home.49564 > ns1.wwpa.com.domain: 46389+ PTR? 193.33.116.62.in-addr.arpa. (44) 18:15:21.400068 ns1.wwpa.com.domain > lazarus.home.49564: 46389 1/0/0 (70) 18:15:22.432207 arp who-has 62.116.56.98 tell 62.116.56.1 18:15:23.398410 lazarus.home.49565 > ns1.wwpa.com.domain: 46390+ PTR? 98.56.116.62.in-addr.arpa. (43) 18:15:23.456830 ns1.wwpa.com.domain > lazarus.home.49565: 46390 NXDomain* 0/0/0 (43) 18:15:25.191614 arp who-has 62.116.56.19 tell 62.116.56.1 18:15:25.386242 arp who-has 62.116.56.98 tell 62.116.56.1 18:15:25.448443 lazarus.home.49566 > ns1.wwpa.com.domain: 46391+ PTR? 19.56.116.62.in-addr.arpa. (43) 18:15:25.494756 ns1.wwpa.com.domain > lazarus.home.49566: 46391 NXDomain* 0/0/0 (43) 18:15:28.109842 arp who-has 62.116.56.19 tell 62.116.56.1 First question: The arp-query seems to be ok and unavoidable, but what about the connections to ns1.wwpa.com.domain? Look like a reverese dns lookup to me or something? Why is this, is this dangerous, how can I avoid this? Why does the this connection not appear in netstat?? I use the standard client firewall, that's my /etc/rc.conf: #setup the network hostname="lazarus.home" ifconfig_sis0="inet 62.116.56.107 netmask 255.255.255.128" defaultrouter="62.116.56.1" #ipv6_enable="YES" #enable the standard firewall firewall_enable="YES" firewall_type="client" firewall_quiet="NO" firewall_logging="YES" #enable services sshd_enable="YES" ntpd_enable="YES" ntpd_flags="-c /etc/ntp.conf" #system settings keymap="german.iso" #linux_enable="YES" moused_enable="YES" Secondly: I'm only running ntp and ssh (and mozilla), why is a socket listening on the smtp port? Thanks in advance Florian PS: Sorry for the output of netstat and tcpdump