From owner-freebsd-security  Thu Aug 17  8:32:26 2000
Delivered-To: freebsd-security@freebsd.org
Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54])
	by hub.freebsd.org (Postfix) with ESMTP id 031AC37B672
	for <freebsd-security@FreeBSD.ORG>; Thu, 17 Aug 2000 08:32:18 -0700 (PDT)
Received: from localhost (todd@localhost)
	by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id IAA12754;
	Thu, 17 Aug 2000 08:32:00 -0700 (PDT)
	(envelope-from todd@flyingcroc.net)
X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs
Date: Thu, 17 Aug 2000 08:32:00 -0700 (PDT)
From: Todd Backman <todd@flyingcroc.net>
X-Sender: todd@security1.noc.flyingcroc.net
To: cjclark@alum.mit.edu
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: syslogd poll state
In-Reply-To: <20000816224105.D28027@149.211.6.64.reflexcom.com>
Message-ID: <Pine.BSF.4.21.0008170828500.12741-100000@security1.noc.flyingcroc.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


No, I am not using -a for syslogd. I have blocked 514 at the borders and
did not want to add any more overhead to this server. I am thinking that
it might be a DNS issue and not a syslogd issue.

Thanks.

- Todd

On Wed, 16 Aug 2000, Crist J . Clark wrote:

> On Wed, Aug 16, 2000 at 02:08:55PM -0700, Todd Backman wrote:
> > 
> > I tried on -questions and didn't get any bites. Any ideas here?:
> > 
> > (updated info: I increased my udp.recvspace via sysctl to overcome any
> > possible overloads due to +250 servers spewing syslog data to it. That was
> > not the problem and the poll state continues to occur. 
> > 
> > One thing I noticed is that when syslogd is in the "poll" state the
> > following is listed in the output of sockstat:
> > 
> > machinename# sockstat
> > 
> > root     syslogd     83    4 udp4   *.514                 *.*
> > root     syslogd     83    6 udp4   x.x.x.x.271		  x.x.x.x.53
> > 				    ^^^^^^^		  ^^^^^^^
> > 				    machine IP		  nameserver IP
> > 
> > I am wondering why syslogd would be attempting to do any type of lookups?
> 
> Probably has something to do with this,
> 
>      -a allowed_peer
>              Allow allowed_peer to log to this syslogd using UDP datagrams.
>              Multiple -a options may be specified.
> 
>              Allowed_peer can be any of the following:
>              .
>              .
>              .
>              domainname[:service]        Accept datagrams where the reverse
>                                          address lookup yields domainname for
>                                          the sender address.  The meaning of
>                                          service is as explained above.
> 
> Are you using the -a option?
> -- 
> Crist J. Clark                           cjclark@alum.mit.com
> 




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message