From owner-freebsd-security  Sat Aug  8 23:39:23 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA16797
          for freebsd-security-outgoing; Sat, 8 Aug 1998 23:39:23 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA16792
          for <security@FreeBSD.ORG>; Sat, 8 Aug 1998 23:39:20 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA13231;
	Sun, 9 Aug 1998 18:37:34 +1200 (NZST)
	(envelope-from andrew@squiz.co.nz)
Date: Sun, 9 Aug 1998 18:37:34 +1200 (NZST)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: Kris Kennaway <kkennawa@physics.adelaide.edu.au>
cc: security@FreeBSD.ORG
Subject: Re: Capturing IPFW denied packets
In-Reply-To: <Pine.OSF.3.90.980809145527.30908A-100000@bragg>
Message-ID: <Pine.BSF.3.96.980809182601.2740B-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 9 Aug 1998, Kris Kennaway wrote:

> Is there any way I can set things up to log the contents of the packets
> which fail the ipfw filter? Can anyone think of legitimate reasons these 
> sites might want to know my identity or information about my DNS, other 
> than trying to harvest addresses for spammers?

It's often useful to have the names of connecting hosts in your httpd
logs.  Recent versions of Apache don't do these lookups by default, but a
fair proportion of servers do, probably most of them.  Some servers may be
configured to verify that the A record and the PTR record agree, since
otherwise a bogus PTR record could be used to spoof where a connection is
made from.

It may be that the site uses ident info for valid reasons with local
users, and that calling your identd is a side effect of this setup.  I'm
not sure why someone would use ident, but I guess since it made it into
the standard http log format there must be a few people out there who
think it's useful.

Andrew McNaughton


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message