From owner-freebsd-questions@FreeBSD.ORG Thu Mar 19 15:31:37 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3F0D666A; Thu, 19 Mar 2015 15:31:37 +0000 (UTC) Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 02A93AF; Thu, 19 Mar 2015 15:31:37 +0000 (UTC) Received: by iecsl2 with SMTP id sl2so68931278iec.1; Thu, 19 Mar 2015 08:31:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=/S8vE02aCh+i1LZ1oKKwXQAcgbWKgV8guLmEuGft9JA=; b=bbEJCgFwpD9EvdSE/nXxuYTRxOavfvBhpxNBUZa2E7oVzg+j76NETXxc8M7Iqph6x9 EI7Exm4EhNxECJOKUvll3Y8ROmUH2Iw0fmK+8dkjAeBXhbmjZVlNJxwENnLadKaGxRN6 KDarIybtdmGwcscb0EXmsueOZNuZwtlQeJ7RazhvlImVHA6zvy5bNpM6FnK73WxHVKuV Io/pTGSeAYRxehAjb/YdSqaNpMON8KHbDL/Ql2RyYQA05RJGQkYgPXpwZ/W+3mkiRVbh 4hvjD/J9RU8rZOWEzD0T5DHn7WXRt6fmiHTQeQu28Z5YZHMrfr5C/u/GhcVSVhkb6KCL w+iw== X-Received: by 10.43.16.196 with SMTP id pz4mr104266248icb.69.1426779096435; Thu, 19 Mar 2015 08:31:36 -0700 (PDT) Received: from [10.0.10.1] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by mx.google.com with ESMTPSA id b1sm4283619igl.7.2015.03.19.08.31.35 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 19 Mar 2015 08:31:36 -0700 (PDT) Message-ID: <550AEBDD.8010405@gmail.com> Date: Thu, 19 Mar 2015 11:31:41 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Matthew Seaman Subject: Re: public network traffic to my ip address port 53 References: <550AE2A7.3010903@gmail.com> <550AE6D5.3000109@freebsd.org> In-Reply-To: <550AE6D5.3000109@freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 15:31:37 -0000 Matthew Seaman wrote: > On 03/19/15 14:52, Ernie Luzar wrote: > >> In my firewall log I see thousands of udp packets from ip addresses all >> over the word trying to access my freebsd gateway server on port 53. >> Right now I am blocking them and see no negative effects. >> Is there any valid reason to allow these unsolicited inbound packets >> access to my system on port 53? >> > > This is DNS traffic. There's no need to allow people from outside to > connect into your systems unless you're running an authoritative DNS > server, but you should be aware that most of the DNS traffic you see > will probably have originated from your own systems, and you are seeing > the responses to queries your users have made. This will frequently > involve servers not obviously related to the addresses you're looking > up, as your systems try and find the right authoritative servers. > > Note that while DNS is (mostly) a UDP protocol. and UDP is stateless, so > all you can see are packets going in various directions and no > established connections, any stateful firewall such as pf or ipfw will > allow you to permit outgoing queries only, by using stateful firewall rules. > > Cheers, > > Matthew > > > I am running ipfilter and it also has stateful UDP rules. That is how I know this inbound dsn traffic is unsolicited.