From owner-freebsd-security Wed Apr 4 9:10:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by hub.freebsd.org (Postfix) with SMTP id D2BDB37B71E for ; Wed, 4 Apr 2001 09:10:08 -0700 (PDT) (envelope-from dfinkelstein@rsasecurity.com) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for hub.freebsd.org [216.136.204.18]) with SMTP; 4 Apr 2001 16:07:43 UT Received: from tuna.rsa.com (tuna.rsa.com [10.80.211.153]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id MAA08875 for ; Wed, 4 Apr 2001 12:10:07 -0400 (EDT) Received: from rsasecurity.com ([10.81.217.239]) by tuna.rsa.com (8.8.8+Sun/8.8.8) with ESMTP id JAA24088 for ; Wed, 4 Apr 2001 09:10:16 -0700 (PDT) From: dfinkelstein@rsasecurity.com Message-Id: <200104041610.JAA24088@tuna.rsa.com> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 X-Exmh-Isig-CompType: unknown X-Exmh-Isig-Folder: lists/freebsd-mobile To: freebsd-security@freebsd.org Subject: Name lookup strageness Mime-Version: 1.0 Content-Type: text/plain Date: Wed, 04 Apr 2001 09:10:05 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings, I've seen something strange on my box and I was hoping somebody could provide some insight. I'm running a 4.1.1 install with the patch for ipfw "established" rules (advisory FreeBSD-SA-01:08). The box runs ipfw and natd. I run no servers (no sendmail, bind, etc.) except for sshd and lpd; I have firewall rules that prohibit connections to these services unless the connection came from my internal network. I do name lookups to my ISP's name servers (my firewall rules only allow UPD traffic to/from port 53 on these servers). On three occasions now (about a week or two apart), I've found that my box will no longer resolve names. Network connectivity is otherwise unaffected, and all my configuration seems to be unchanged (boxes on my internal network are still able to do name lookups to my ISP's name servers). When this happens, I have only benn able to fix the problem by rebooting. Now, the interesting (to me) thing is, when this happens and I try to resolve a name, I see the following sorts of entries in my firewall log: Apr 3 20:40:07 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1529 out via tun0 Apr 3 20:40:12 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1529 out via tun0 Apr 3 20:40:22 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1530 out via tun0 Apr 3 20:51:58 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1531 out via tun0 So when I type "nslookup somehost" my box attempts to connect to some other machine at numerically increasing port numbers. The three times this has happened, the scan has started at different numbers. The target machine is not one of my name servers; once it was on my local subnet, and twice it was on a "nearby" subnet (same ISP as me but the last two octets of the address differed). Does anybody have any ideas about what is going on, or other things I should look for when this happens to try to trace the problem? Thanks, --- David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message