I’ve been digging through my iptables some and setting up new chains with which to weed out crackers and spammers. During this process, I located an entry that I’m unsure of. This is on a fresh installation of virtualmin, but I wonder if someone didn’t sneak something in on me while I was installing things.
Via the Firewall display through webmin, the rule looks like this:
ACCEPT If protocol is UDP and destination is 224.0.0.251 and destination port is 5353
whois tells me that this entry belongs to:
DoD Network Information Center
My question: Is there any reasonable reason why this entry should be in my firewall?
If that’s a fresh install of your OS, you can probably feel free to remove that rule – you can always add it back in if it turns out you’re hoping to use some service that required it (but that would be atypical, most servers don’t require that port/address).
It’s a fresh install of CentOS 5.3 and of Virtualmin. It’s in the Input table.
I reinstalled the OS using CentOS 5.4 … it looks exactly like 5.3 to me. I reinstalled Virtualmin, and that entry in iptables is there again. I did not check to see whether it was there before I reinstalled. Too many things going on. The link above makes it sound like someone else saw it on a CentOS installation, though. The 5353 makes me think “DNS”, but the Dept. of Defense really should tell me if they need my computer!
I just Googled the IP. It’s all over the net. It appears that it’s used by the OS now on many installations, even Mac. It seems to have shown up around 9 years ago or so. Beyond that, nobody seems to know what it is. Being the suspicious nut that I am, I wonder if it wasn’t mandated out of the 911 fallout. Someone wants to know who’s signing on where.
Addresses in the Local Network Control block are used for protocol
control traffic that is not forwarded off link. Examples of this
type of use include OSPFIGP All Routers (224.0.0.5) [RFC2328].
