Date: Wed, 04 Apr 2001 09:10:05 -0700 From: dfinkelstein@rsasecurity.com To: freebsd-security@freebsd.org Subject: Name lookup strageness Message-ID: <200104041610.JAA24088@tuna.rsa.com>
next in thread | raw e-mail | index | archive | help
Greetings, I've seen something strange on my box and I was hoping somebody could provide some insight. I'm running a 4.1.1 install with the patch for ipfw "established" rules (advisory FreeBSD-SA-01:08). The box runs ipfw and natd. I run no servers (no sendmail, bind, etc.) except for sshd and lpd; I have firewall rules that prohibit connections to these services unless the connection came from my internal network. I do name lookups to my ISP's name servers (my firewall rules only allow UPD traffic to/from port 53 on these servers). On three occasions now (about a week or two apart), I've found that my box will no longer resolve names. Network connectivity is otherwise unaffected, and all my configuration seems to be unchanged (boxes on my internal network are still able to do name lookups to my ISP's name servers). When this happens, I have only benn able to fix the problem by rebooting. Now, the interesting (to me) thing is, when this happens and I try to resolve a name, I see the following sorts of entries in my firewall log: Apr 3 20:40:07 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1529 out via tun0 Apr 3 20:40:12 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1529 out via tun0 Apr 3 20:40:22 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1530 out via tun0 Apr 3 20:51:58 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1531 out via tun0 So when I type "nslookup somehost" my box attempts to connect to some other machine at numerically increasing port numbers. The three times this has happened, the scan has started at different numbers. The target machine is not one of my name servers; once it was on my local subnet, and twice it was on a "nearby" subnet (same ISP as me but the last two octets of the address differed). Does anybody have any ideas about what is going on, or other things I should look for when this happens to try to trace the problem? Thanks, --- David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104041610.JAA24088>