Date: Mon, 24 Feb 2003 21:35:22 -0500 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: Alexander Anderson <alex@upful.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: FireDNS and net.inet.udp.log_in_vain Message-ID: <20030225023522.GC280@cowbert.2y.net> In-Reply-To: <20030225022356.GA77462@dusty.upful.org> References: <873cmmpc16.wl@bemidji.meridian-enviro.com> <1045544795.19726.3.camel@sambo.fud.org.nz> <20030222171054.GA97944@dusty.upful.org> <20030223193605.GD3812@gothmog.gr> <20030225022356.GA77462@dusty.upful.org>
next in thread | previous in thread | raw e-mail | index | archive | help
One way to do this is to stop using log_in_vain, and switch to a packet filter. There, you can selectively log for connections to everything except 53. (i.e. in ipfw, have the deny from any to any rule logged, so that everythign that isn't allowed would get logged, which would effectively be everything closed). The other way would be to postprocess your syslog and strip out attempted connections to port 53. On Mon, Feb 24, 2003 at 09:23:56PM -0500, Alexander Anderson wrote: > > > > > Connection attempt to UDP <our-ip>:<port-above-1024> from > > > > > <ip-addr-in-resolv.conf>:53 > > > > You must have enabled log_in_vain in your rc.conf, right? > > Yes, right. > > And I want to have it enabled because I do want to log all connection > attempts to ports that have no listening socket on them. The only exception > is when my ISP's name servers are slow or overloaded, and when they reply, > the local port is already closed, then I don't want to log their replies in > vain. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030225023522.GC280>