From owner-freebsd-security  Wed Aug 16 22:41:22 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id E41F737B99A
	for <freebsd-security@freebsd.org>; Wed, 16 Aug 2000 22:41:10 -0700 (PDT)
	(envelope-from cjc@149.211.6.64.reflexcom.com)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 16 Aug 2000 22:40:03 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id WAA80755;
	Wed, 16 Aug 2000 22:41:05 -0700 (PDT)
	(envelope-from cjc)
Date: Wed, 16 Aug 2000 22:41:05 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Todd Backman <todd@flyingcroc.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: syslogd poll state
Message-ID: <20000816224105.D28027@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <Pine.BSF.4.21.0008151635580.4625-100000@security1.noc.flyingcroc.net> <Pine.BSF.4.21.0008161356000.6276-100000@security1.noc.flyingcroc.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.21.0008161356000.6276-100000@security1.noc.flyingcroc.net>; from todd@flyingcroc.net on Wed, Aug 16, 2000 at 02:08:55PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Aug 16, 2000 at 02:08:55PM -0700, Todd Backman wrote:
> 
> I tried on -questions and didn't get any bites. Any ideas here?:
> 
> (updated info: I increased my udp.recvspace via sysctl to overcome any
> possible overloads due to +250 servers spewing syslog data to it. That was
> not the problem and the poll state continues to occur. 
> 
> One thing I noticed is that when syslogd is in the "poll" state the
> following is listed in the output of sockstat:
> 
> machinename# sockstat
> 
> root     syslogd     83    4 udp4   *.514                 *.*
> root     syslogd     83    6 udp4   x.x.x.x.271		  x.x.x.x.53
> 				    ^^^^^^^		  ^^^^^^^
> 				    machine IP		  nameserver IP
> 
> I am wondering why syslogd would be attempting to do any type of lookups?

Probably has something to do with this,

     -a allowed_peer
             Allow allowed_peer to log to this syslogd using UDP datagrams.
             Multiple -a options may be specified.

             Allowed_peer can be any of the following:
             .
             .
             .
             domainname[:service]        Accept datagrams where the reverse
                                         address lookup yields domainname for
                                         the sender address.  The meaning of
                                         service is as explained above.

Are you using the -a option?
-- 
Crist J. Clark                           cjclark@alum.mit.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message