From owner-freebsd-questions@FreeBSD.ORG Fri Oct 19 10:30:31 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7262A16A417 for ; Fri, 19 Oct 2007 10:30:31 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id ED75F13C465 for ; Fri, 19 Oct 2007 10:30:26 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id UAA07420; Fri, 19 Oct 2007 20:30:18 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 19 Oct 2007 20:30:17 +1000 (EST) From: Ian Smith To: Nikos Vassiliadis In-Reply-To: <200710191009.28995.nvass@teledomenet.gr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: "Michael K. Smith - Adhost" , freebsd-questions@freebsd.org Subject: Re: Odd PF Denied Message X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2007 10:30:31 -0000 On Fri, 19 Oct 2007, Nikos Vassiliadis wrote: > On Friday 19 October 2007 07:06:35 Ian Smith wrote: > > On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote: .. > > > I think log_in_vain can be used when configuring a firewall. > > > Just to see quickly if your firewall works as expected and > > > then turn it off. Otherwise it is just going to create tons > > > of irrelevant log messages. > > > > On the contrary .. if your firewall is working correctly, you shouldn't > > ever be seeing connection attempts to non-listening ports, especially > > from outside. > > Hey, we are saying the same thing, aren't we? Well, not exactly :) but I don't think we have any serious disagreement. > > log_in_vain messages indicate some attention is needed, > > either to block or reset those connections, or to provide a listener :) > > so removing log_in_vain (shooting the messenger) may not be a good idea. > > Hm, almost the same thing. I tend to disagree with this. I prefer > log_in_vain off because usually a server will live in a DMZ. And > most of the time we donot bother runnning local firewalls one each > server and some will say it's wrong to do firewalling on each/a server. Some will. And some run only one server, and must be extra paranoid :) > Just one firewall protecting the DMZ. Other computing systems > living in the DMZ can cause noise, irrelevant log messages. > I remember a case where delayed replies from the DNS server were > logged by the kernel creating noise and bloating the logs. > Ofcourse YMMV... > > But we basically say the same thing... Use log_in_vain to see what > passes your firewall and "touches" your servers. I prefer to turn > it off afterwards, Ian prefers to let it on. Fair enough. I don't see any harm in leaving it on, as I tend to pay attention to any 'irrelevant' messages and fix the source of them, and if something slips by the firewall I want to know about it. Sometimes that means such as delayed responses from DNS being logged, it's true. In Michael's case in point it did indicate a problem though, or at least a deficiency in the lack of handling ident requests. As you say, YMMV. Cheers, Ian