From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 09:22:22 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2ED616A4DE for ; Wed, 19 Jul 2006 09:22:22 +0000 (UTC) (envelope-from ady@fwd.ady.ro) Received: from nf-out-f131.google.com (nf-out-f131.google.com [64.233.182.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B9EF43D46 for ; Wed, 19 Jul 2006 09:22:19 +0000 (GMT) (envelope-from ady@fwd.ady.ro) Received: by nf-out-f131.google.com with SMTP id x9so142809nfb for ; Wed, 19 Jul 2006 02:22:18 -0700 (PDT) Received: by 10.78.165.16 with SMTP id n16mr207177hue; Wed, 19 Jul 2006 02:22:18 -0700 (PDT) Received: by 10.78.159.8 with HTTP; Wed, 19 Jul 2006 02:22:18 -0700 (PDT) Message-ID: <9e01a0da0607190222i426bceccq66fe95c72ffe8d38@mail.gmail.com> Date: Wed, 19 Jul 2006 12:22:18 +0300 From: "Adrian Penisoara" Sender: ady@fwd.ady.ro To: "George Mamalakis" In-Reply-To: <20060719114613.N18979@ns1.lan.gr> MIME-Version: 1.0 References: <20060719114613.N18979@ns1.lan.gr> X-Google-Sender-Auth: 53088633b1df8b7e Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: UDP connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 09:22:22 -0000 Hi, $ grep "\<512/udp" /etc/services biff 512/udp comsat #used by mail system to notify users So basicly you got a process (most likely your local MTA) sending notifications for incoming new mails to the comsat service (which by default is disabled in /etc/inetd.conf). Either adjust your firewall to allow such notifications (UDP packets towards port 512 on subnet 127.0.0.0/8 through lo0 interface) or disable notification from your mail delivery agent. Best regards, Adrian Penisoara Ady (@freebsd.ady.ro) On 7/19/06, George Mamalakis wrote: > > Hi everyone, > I administer this 5.2.1 Freebsd Box which runs a few services, among of > which are bind and postfix. On the same box I run ipfw as a firewall, and > have a default policy block for all incoming packets, except for those > that are for ports 53 (tcp and udp) and 25 (tcp). > I also have the following sysctl values enabled: > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > In my security logs I keep on getting the following messages: > Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52291 > Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP > myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP > myexternaladdress:52316 from myexternaladdress:53 > Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52328 > Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52354 > > I have googled these messages many times, but haven't still found a real > explanation of why these messages occur. The way I see it is that there is > no malicious behaviour behind theses messages, most probably there's > something that has to do with my firewall settings, and the keep state > option. > I present the excerpt from my firewall configuration file that relates to > the dns incoming traffic: > add 00389 allow udp from any to myexternaladdress 53 in via fxp0 > keep-state > > I would be greatful if someone could explain to me why these messages > keep showing, and if there is a way to prevent them from occuring in the > future. > Thank you all in advance, > > mamalos > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >