View Single Post
  #4   (View Single Post)  
Old 29th October 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

The tcpdump snippet you posted does not do RBL lookups.

The first one (PTR?) is a reverse lookup (IP address -> name).
The second one (A?) asks for the IP address of mx.freeshell.org.
Third and last asks for the Mail eXchanger (MX?) or SMTP server for the sdf.lonestar.org. domain.

A RBL query for 192.94.73.19 at zen.spamhaus.org looks like this
Code:
192.168.222.20.24544 > 192.168.222.10.53: 27286+ A? 19.73.94.192.zen.spamhaus.org. (47)
192.168.222.10.53 > 192.168.222.20.24544: 27286 NXDomain* 0/0/0 (47)
The IP address is reversed from 192.94.73.19 -> 19.73.94.192 and prefixed to the name of the black list, so it becomes: 19.73.94.192.zen.spamhaus.org. In this case the address is not listed at zen.spamhaus.

An example of an IP address that has been listed:
Code:
$ blcheck.sh  92.101.76.6 
IP 92.101.76.6 NAME ip-006-076-101-092.pools.atnet.ru.
2008-10-29_00:39:49_UTC 6.76.101.92.cbl.abuseat.org.           127.0.0.2
2008-10-29_00:39:49_UTC 6.76.101.92.dnsbl.sorbs.net.           127.0.0.7
2008-10-29_00:39:49_UTC 6.76.101.92.bl.spamcop.net.            127.0.0.2
2008-10-29_00:39:49_UTC 6.76.101.92.zen.spamhaus.org.          127.0.0.11 127.0.0.4
2008-10-29_00:39:49_UTC 6.76.101.92.combined.njabl.org.        ---
The tcpdump output:
Code:
sudo tcpdump -ni bge0 -s512 port 53

192.168.222.20.41580 > 192.168.222.10.53: 44311+ PTR? 6.76.101.92.in-addr.arpa. (42)
192.168.222.10.53 > 192.168.222.20.41580: 44311 1/0/0 PTR ip-006-076-101-092.pools.atnet.ru. (89)

192.168.222.20.11188 > 192.168.222.10.53: 39105+ A? 6.76.101.92.cbl.abuseat.org. (45)
192.168.222.10.53 > 192.168.222.20.11188: 39105 1/0/0 A 127.0.0.2 (61)

192.168.222.20.16514 > 192.168.222.10.53: 6322+ A? 6.76.101.92.dnsbl.sorbs.net. (45)
192.168.222.10.53 > 192.168.222.20.16514: 6322 1/0/0 A 127.0.0.7 (61)

192.168.222.20.1968 > 192.168.222.10.53: 16255+ A? 6.76.101.92.bl.spamcop.net. (44)
192.168.222.10.53 > 192.168.222.20.1968: 16255 1/0/0 A 127.0.0.2 (60)

192.168.222.20.6546 > 192.168.222.10.53: 55003+ A? 6.76.101.92.zen.spamhaus.org. (46)
192.168.222.10.53 > 192.168.222.20.6546: 55003 2/0/0 A 127.0.0.11, A 127.0.0.4 (78)

192.168.222.20.48966 > 192.168.222.10.53: 11236+ A? 6.76.101.92.combined.njabl.org. (48)
192.168.222.10.53 > 192.168.222.20.48966: 11236 NXDomain* 0/0/0 (48)
Note that I used '-s 512' to dump 512 bytes of each packet, instead of the default of 96. That way you can see the complete answer.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote