From owner-freebsd-security  Thu Mar 18 18:58:17 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mta2-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.3])
	by hub.freebsd.org (Postfix) with ESMTP id 6C00A14E7D
	for <freebsd-security@freebsd.org>; Thu, 18 Mar 1999 18:57:20 -0800 (PST)
	(envelope-from junkmale@pop3.xtra.co.nz)
Received: from wocker ([210.55.164.76]) by mta2-rme.xtra.co.nz
          (InterMail v04.00.02.07 201-227-108) with SMTP
          id <19990319025828.EDWZ3226200.mta2-rme@wocker>;
          Fri, 19 Mar 1999 15:58:28 +1300
From: "Dan Langille" <junkmale@xtra.co.nz>
Organization: The FreeBSD Diary
To: alphen@craxx.com
Date: Fri, 19 Mar 1999 15:56:57 +1300
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: RE: unknown connection attempts from localhost
Reply-To: junkmale@xtra.co.nz
Cc: <freebsd-security@freebsd.org>
In-reply-to: <000001be7191$b78e5e70$0a0010ac@ren.craxx.com>
References: <19990318182128.MNSH682101.mta1-rme@wocker>
X-mailer: Pegasus Mail for Win32 (v3.01d)
Message-Id: <19990319025828.EDWZ3226200.mta2-rme@wocker>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 18 Mar 99, at 23:50, laurens van alphen wrote:

> Hi,
> 
> We see those too:
> 
> > [snip] Connection attempt to UDP 127.0.0.1:1645 from 127.0.0.1:53
> > [snip] Connection attempt to UDP 127.0.0.1:1739 from 127.0.0.1:53
> 
> That's bind for sure, dunno why it's sending UDP packets to random >1024
> ports. Note that the 'connection attempt' is misleading: UDP is
> connectionless.

Could this be a reply from query started on port > 1024?

> Anyone bothered to ask someone at the ISC?

I guess I should if I can't figure it out.

> > [snip] Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2191
> > [snip] Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2192
> 
> Using procmail as LDA?

No, I'm not using procmail.  What's LDA?

>(maybe others have this behaviour as well) It's
> the biff mail notification protocol. Stock FreeBSD (3.1-R at least) has a
> mail notification daemon on port 512 (biff). You probably turned off the
> biff
> daemon in inetd.conf, you should! (on a nameserver at least)


Yes, it is turned off.  Well, there is no reference to biff in my 
inetd.conf.

> Three options here:
> 
> 1. fix your LDA
> 2. choose another LDA
> 3. live with it (that's what we do)

Guess 1 and 2 are out as I'm not using procmail.

--
Dan Langille
The FreeBSD Diary
http://www.FreeBSDDiary.com/freebsd


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message