From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 08:21:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41D0816A4E2 for ; Wed, 19 Jul 2006 08:21:02 +0000 (UTC) (envelope-from mamalos@lan.gr) Received: from ns1.lan.gr (ns1.lan.gr [212.251.2.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FCD343D45 for ; Wed, 19 Jul 2006 08:21:01 +0000 (GMT) (envelope-from mamalos@lan.gr) Received: from localhost (localhost [127.0.0.1]) by ns1.lan.gr (Postfix) with ESMTP id 1D2D7289C2 for ; Wed, 19 Jul 2006 12:07:10 +0300 (EEST) X-Virus-Scanned: amavisd-new at lan.gr Received: from ns1.lan.gr ([127.0.0.1]) by localhost (ns1.lan.gr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X86sXKE7IUvI for ; Wed, 19 Jul 2006 12:07:09 +0300 (EEST) Received: by ns1.lan.gr (Postfix, from userid 1001) id CA55B289C1; Wed, 19 Jul 2006 12:07:08 +0300 (EEST) Received: from localhost (localhost [127.0.0.1]) by ns1.lan.gr (Postfix) with ESMTP id C3EA5289BF for ; Wed, 19 Jul 2006 12:07:08 +0300 (EEST) Date: Wed, 19 Jul 2006 12:07:08 +0300 (EEST) From: George Mamalakis To: freebsd-security@freebsd.org Message-ID: <20060719114613.N18979@ns1.lan.gr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: UDP connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 08:21:02 -0000 Hi everyone, I administer this 5.2.1 Freebsd Box which runs a few services, among of which are bind and postfix. On the same box I run ipfw as a firewall, and have a default policy block for all incoming packets, except for those that are for ports 53 (tcp and udp) and 25 (tcp). I also have the following sysctl values enabled: net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 In my security logs I keep on getting the following messages: Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:52291 Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP myexternaladdress:52299 from myexternaladdress:53 Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP myexternaladdress:52316 from myexternaladdress:53 Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:52328 Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:52354 I have googled these messages many times, but haven't still found a real explanation of why these messages occur. The way I see it is that there is no malicious behaviour behind theses messages, most probably there's something that has to do with my firewall settings, and the keep state option. I present the excerpt from my firewall configuration file that relates to the dns incoming traffic: add 00389 allow udp from any to myexternaladdress 53 in via fxp0 keep-state I would be greatful if someone could explain to me why these messages keep showing, and if there is a way to prevent them from occuring in the future. Thank you all in advance, mamalos