From owner-freebsd-questions@FreeBSD.ORG Mon May 24 06:49:49 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 464C316A4F5 for ; Mon, 24 May 2004 06:49:49 -0700 (PDT) Received: from veldy.net (fuggle.veldy.net [209.98.200.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14DFD43D2D for ; Mon, 24 May 2004 06:49:49 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from localhost (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with ESMTP id 5F02E6127; Mon, 24 May 2004 08:49:10 -0500 (CDT) Received: from veldy.net ([127.0.0.1]) by localhost (fuggle.veldy.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92601-05; Mon, 24 May 2004 08:49:08 -0500 (CDT) Received: from 148L241 (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 037C96113; Mon, 24 May 2004 08:49:07 -0500 (CDT) Message-ID: <001501c44195$e2ac4610$321d590a@nic.target.com> From: "Thomas T. Veldhouse" To: "Jonathon McKitrick" References: <20040524122957.GA47602@dogma.freebsd-uk.eu.org> Date: Mon, 24 May 2004 08:49:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Virus-Scanned: by amavisd-new at veldy.net cc: FreeBSD-Questions Subject: Re: Repeated connections to port 25 with firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2004 13:49:49 -0000 From: "Jonathon McKitrick" > > This is probably a simple question with a simple answer, but I wasn't sure > where to look. > > I recently installed a deny-all firewall and everything is working fine. > However, I keep getting /kernel log messages about attempts to connect to > port 25. Are these just various processes trying to mail their results to > root, but can't because of the firewall? Or maybe cron doing the same thing? > > May 24 08:00:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:1101 flags:0x02 > May 24 08:00:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:2270 flags:0x02 > May 24 08:05:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:4230 flags:0x02 > May 24 08:10:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:2687 flags:0x02 > May 24 08:15:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:3274 flags:0x02 > May 24 08:20:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:1542 flags:0x02 > May 24 08:25:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25 from > 127.0.0.1:3652 flags:0x02 > > You should allow all traffic on your loopback device by default. Much like this (for IPFILTER) pass in quick on lo0 all pass out quick on lo0 all It would also be good to block spoofed traffic if you allowing connectivity to the internet or other unprotected networks. # # Deny reserved addresses. # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 block in log quick from 172.16.0.0/12 to any group 100 # # prevent IP spoofing. # block in log quick from me to any group 100 BTW ... group 100 is "inbound packets on the public interface". Tom Veldhouse