From owner-freebsd-questions@FreeBSD.ORG Thu Mar 19 15:10:34 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 15B7FFA for ; Thu, 19 Mar 2015 15:10:34 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B2798E02 for ; Thu, 19 Mar 2015 15:10:33 +0000 (UTC) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t2JFAGuL018409 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Thu, 19 Mar 2015 15:10:23 GMT (envelope-from matthew@freebsd.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=freebsd.org DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t2JFAGuL018409 Authentication-Results: smtp.infracaninophile.co.uk/t2JFAGuL018409; dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Message-ID: <550AE6D5.3000109@freebsd.org> Date: Thu, 19 Mar 2015 15:10:13 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: public network traffic to my ip address port 53 References: <550AE2A7.3010903@gmail.com> In-Reply-To: <550AE2A7.3010903@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Ug0JedUG6bIoAOpTp2Wkxw04ooETMNNxR" X-Virus-Scanned: clamav-milter 0.98.6 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 15:10:34 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Ug0JedUG6bIoAOpTp2Wkxw04ooETMNNxR Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 03/19/15 14:52, Ernie Luzar wrote: > In my firewall log I see thousands of udp packets from ip addresses all= > over the word trying to access my freebsd gateway server on port 53. > Right now I am blocking them and see no negative effects. > Is there any valid reason to allow these unsolicited inbound packets > access to my system on port 53? This is DNS traffic. There's no need to allow people from outside to connect into your systems unless you're running an authoritative DNS server, but you should be aware that most of the DNS traffic you see will probably have originated from your own systems, and you are seeing the responses to queries your users have made. This will frequently involve servers not obviously related to the addresses you're looking up, as your systems try and find the right authoritative servers. Note that while DNS is (mostly) a UDP protocol. and UDP is stateless, so all you can see are packets going in various directions and no established connections, any stateful firewall such as pf or ipfw will allow you to permit outgoing queries only, by using stateful firewall rul= es. Cheers, Matthew --Ug0JedUG6bIoAOpTp2Wkxw04ooETMNNxR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJVCubVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnVTcQAJsK1FbbxoHABX2HynQlrq8f /5FtDHHDFbQA0R+/p5rT2QSsptSVj5t1f+NS2mEKgMeTBJaESP4Y3aT1CHv47lpa AWqg+yP2ZA4Pn1heOk4GpI9qxgRoGIiUX2xjA6T2DvcDvrNf3eWwE3gSgsUTECOv 8Hv5vBQK2oEiaGwb91Z+J6k7Gi3b2vDWhusAut+rG5IiGh9s9vujwTDIAOl5y1TI AV93j4sYhZKuXGkaqiv/HKxxI+y0oHYOJfxzF4AO7sQ0SOVVrIdGNtoxFrJq6eXy GVZ50Nic2fQjK+OjMhRQUax2U5hBHrNECeV5qFfbY7gvhrwgcbW5BuX8vPIN5jXy d4KGXdELFJyfBzE2TCd1SjMOkiAHfZ7zbVCtlmVCFORka4maWH7Q8D9i2VRdUOdK smSmwMr8Zfhi71lLiVCk9jFt8mO84Rx0arPPlX1s0q1my0Dik2a4F75eYqEMEMpd j/oIT8goR88+aooQs8aE4cUsikDelABOzMUKhpwZo/Fd5zC1YDit7b0jspRFcAs7 gKEoZYLdr6pSoQoypxbmQGH+Le82nGsIl8XYTb/XikOfKZWh+ZDSleALkGgmtYfg VWN9Ww7AZH/3Esk/OSyWEIACzVSTvrDCjtYNUmze2+2yjFAKzFXofV3MK6TD3BPL OqwTMQvVMCE0uQyQ0F+C =2qiu -----END PGP SIGNATURE----- --Ug0JedUG6bIoAOpTp2Wkxw04ooETMNNxR--