From owner-freebsd-security Wed Jun 16 3: 0:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2-rme.xtra.co.nz (unknown [203.96.92.3]) by hub.freebsd.org (Postfix) with ESMTP id 9EB2C14C59 for ; Wed, 16 Jun 1999 03:00:20 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.152.36]) by mta2-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990616100254.GZCQ311284.mta2-rme@wocker>; Wed, 16 Jun 1999 22:02:54 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: Dag-Erling Smorgrav Date: Wed, 16 Jun 1999 22:00:18 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: named timeouts Reply-To: junkmale@xtra.co.nz Cc: security@FreeBSD.ORG, Mike Nowlin References: "Dan Langille"'s message of "Wed, 16 Jun 1999 07:45:31 +1200" In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990616100254.GZCQ311284.mta2-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 16 Jun 99, at 9:57, Dag-Erling Smorgrav wrote: > "Dan Langille" writes: > > On my main machine, which is also running named, the daily security > > check always has lots of these types of entries. Typically there are > > about 50 a day. I think it's because a dns request has been started, > > but by the time the reply arrives, the firewall has terminated that port > > connection (I'm running ipfilter). > > No, I don't think these messages come from named. I think they're log > messages from ipfilter telling you you didn't set up your firewall > correctly. You should have rules permitting all UDP traffic to and *from* > port 53. Actually, you should have a rule permitting all traffic across > lo0 no matter what. Well, I just checked: # ipfstat -hio | grep lo0 566 pass out quick on lo0 from any to any 1132 pass in quick on lo0 from any to any And verified via: # grep lo0 /etc/ipfrules pass in quick on lo0 all pass out quick on lo0 all Looks to me like they are allowed. There messages aren't from ipfilter. I believe they are from my kernel.log. I apologise for not pointing that out in the first place: $ tail kernel.log Jun 16 09:16:42 ns /kernel: Connection attempt to UDP 127.0.0.1:1391 from 127.0.0.1:53 Jun 16 09:17:02 ns /kernel: Connection attempt to UDP 127.0.0.1:1393 from 127.0.0.1:53 Jun 16 10:46:43 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1598 Jun 16 11:32:39 ns /kernel: Connection attempt to UDP 127.0.0.1:1704 from 127.0.0.1:53 Jun 16 12:37:18 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1872 Jun 16 13:22:40 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2026 Jun 16 17:29:47 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2521 Jun 16 18:45:20 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2730 Jun 16 21:12:36 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:3029 Jun 16 21:17:48 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:3138 does this make things any clearer? -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message