Strange iptables entry - is it legit?

I’ve been digging through my iptables some and setting up new chains with which to weed out crackers and spammers. During this process, I located an entry that I’m unsure of. This is on a fresh installation of virtualmin, but I wonder if someone didn’t sneak something in on me while I was installing things.

Via the Firewall display through webmin, the rule looks like this:

ACCEPT If protocol is UDP and destination is and destination port is 5353

whois tells me that this entry belongs to:

DoD Network Information Center

My question: Is there any reasonable reason why this entry should be in my firewall?

First off, I honestly really don’t know what that is :slight_smile:

But, in some poking around Google, I ran across this post who noticed something similar:

What distro is it you’re using there?

If that’s a fresh install of your OS, you can probably feel free to remove that rule – you can always add it back in if it turns out you’re hoping to use some service that required it (but that would be atypical, most servers don’t require that port/address).


Which table is it in ? INPUT or OUTPUT or other?

It’s a fresh install of CentOS 5.3 and of Virtualmin. It’s in the Input table.

I reinstalled the OS using CentOS 5.4 … it looks exactly like 5.3 to me. I reinstalled Virtualmin, and that entry in iptables is there again. I did not check to see whether it was there before I reinstalled. Too many things going on. The link above makes it sound like someone else saw it on a CentOS installation, though. The 5353 makes me think “DNS”, but the Dept. of Defense really should tell me if they need my computer! :slight_smile:

I just Googled the IP. It’s all over the net. It appears that it’s used by the OS now on many installations, even Mac. It seems to have shown up around 9 years ago or so. Beyond that, nobody seems to know what it is. Being the suspicious nut that I am, I wonder if it wasn’t mandated out of the 911 fallout. Someone wants to know who’s signing on where.

Found a link that may help explain it a bit more:

The IP’s “belong” to
iana memo from 2001

  1. Local Network Control Block (224.0.0/24)

    Addresses in the Local Network Control block are used for protocol
    control traffic that is not forwarded off link. Examples of this
    type of use include OSPFIGP All Routers ( [RFC2328].

Read more:

Examples from their 1998 memo

So I don’t think the department of defense is spying on our servers (at least not through that IP), eventhough randy bush is mentioned.

The authors would like to thank Joe St. Sauver, John Meylor, Randy
Bush, and Thomas Narten for their constructive feedback and comments.

Read more:

The 5353 is the port number, plus the multicast address, that is used be Avahi(SP?) which is related to the MDNS system.