Date: Mon, 24 May 2004 08:49:07 -0500 From: "Thomas T. Veldhouse" <veldy@veldy.net> To: "Jonathon McKitrick" <jcm@FreeBSD-uk.eu.org> Cc: FreeBSD-Questions <freebsd-questions@freebsd.org> Subject: Re: Repeated connections to port 25 with firewall Message-ID: <001501c44195$e2ac4610$321d590a@nic.target.com> References: <20040524122957.GA47602@dogma.freebsd-uk.eu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "Jonathon McKitrick" <jcm@FreeBSD-uk.eu.org> > > This is probably a simple question with a simple answer, but I wasn't sure > where to look. > > I recently installed a deny-all firewall and everything is working fine. > However, I keep getting /kernel log messages about attempts to connect to > port 25. Are these just various processes trying to mail their results to > root, but can't because of the firewall? Or maybe cron doing the same thing? > > May 24 08:00:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:1101 flags:0x02 > May 24 08:00:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:2270 flags:0x02 > May 24 08:05:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:4230 flags:0x02 > May 24 08:10:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:2687 flags:0x02 > May 24 08:15:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:3274 flags:0x02 > May 24 08:20:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:1542 flags:0x02 > May 24 08:25:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:3652 flags:0x02 > > You should allow all traffic on your loopback device by default. Much like this (for IPFILTER) pass in quick on lo0 all pass out quick on lo0 all It would also be good to block spoofed traffic if you allowing connectivity to the internet or other unprotected networks. # # Deny reserved addresses. # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 block in log quick from 172.16.0.0/12 to any group 100 # # prevent IP spoofing. # block in log quick from me to any group 100 BTW ... group 100 is "inbound packets on the public interface". Tom Veldhouse
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001501c44195$e2ac4610$321d590a>