From owner-freebsd-security Thu Mar 18 10:21:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (Postfix) with ESMTP id 3FC3914E57 for ; Thu, 18 Mar 1999 10:20:51 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.164.76]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990318182128.MNSH682101.mta1-rme@wocker> for ; Fri, 19 Mar 1999 07:21:28 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: freebsd-security@FreeBSD.ORG Date: Fri, 19 Mar 1999 07:20:31 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: unknown connection attempts from localhost Reply-To: junkmale@xtra.co.nz X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990318182128.MNSH682101.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have recently turned on the log_in_vain stuff using the following: sysctl -w net.inet.tcp.log_in_vain=1 sysctl -w net.inet.udp.log_in_vain=1 Since then, I've been entries in my log which I don't understand: Mar 17 21:36:44 ns /kernel: Connection attempt to UDP 127.0.0.1:1645 from 127.0.0.1:53 Mar 17 22:14:41 ns /kernel: Connection attempt to UDP 127.0.0.1:1739 from 127.0.0.1:53 Mar 18 02:30:10 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2191 Mar 18 02:30:16 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2192 There's a large number that look like the first two. To me it looks like the DNS server tried to connection back to a request that came in on port 1645/1739. Say what? The box in question is used as a name server and is a gateway/firewall box running IP Filter and does NAT, runs sendmail, etc. cheers. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message