From owner-freebsd-security Thu Mar 18 12:10:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from kamna.i.cz (kamna.i.cz [193.85.255.30]) by hub.freebsd.org (Postfix) with SMTP id 5FC63154C7 for ; Thu, 18 Mar 1999 12:09:31 -0800 (PST) (envelope-from mm@i.cz) Received: (qmail 14652 invoked from network); 18 Mar 1999 20:09:11 -0000 Received: from woody.i.cz (@193.85.255.60) by kamna.i.cz with SMTP; 18 Mar 1999 20:09:11 -0000 Content-Length: 1691 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <19990318182128.MNSH682101.mta1-rme@wocker> Date: Thu, 18 Mar 1999 21:09:11 +0100 (MET) Reply-To: mm@i.cz From: Martin Machacek To: freebsd-security@FreeBSD.ORG Subject: RE: unknown connection attempts from localhost Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 18-Mar-99 Dan Langille wrote: > I have recently turned on the log_in_vain stuff using the following: > > sysctl -w net.inet.tcp.log_in_vain=1 > sysctl -w net.inet.udp.log_in_vain=1 > > Since then, I've been entries in my log which I don't understand: > > Mar 17 21:36:44 ns /kernel: Connection attempt to UDP 127.0.0.1:1645 from > 127.0.0.1:53 > Mar 17 22:14:41 ns /kernel: Connection attempt to UDP 127.0.0.1:1739 from > 127.0.0.1:53 > Mar 18 02:30:10 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:2191 > Mar 18 02:30:16 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:2192 > > There's a large number that look like the first two. To me it looks like > the DNS server tried to connection back to a request that came in on port > 1645/1739. Say what? > > The box in question is used as a name server and is a gateway/firewall box > running IP Filter and does NAT, runs sendmail, etc. Does it run squid? I'm seeing lot of those messages on my firewall too. My current prime suspect is the dnsserver, that is being started and used by squid. It appears to me that it sets very short timeout for DNS queries and closes the socket when the timeout expires. Unfortunately it takes quite a while to resolve some DNS names because the external connection is pretty oveloaded. So, the "late" replies from named (running on the same machine) come to late and end up in "vain". I'm not completely satisfied with this explanation but I currently have no time to investigate the phenomenon. Anybody has gone through this already? BTW, the same happens on firewalls with Gauntlet running on BSDI. Martin --- [PGP KeyID F3F409C4]] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message