From owner-freebsd-security Mon Feb 24 18:35:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D40F37B401 for ; Mon, 24 Feb 2003 18:35:24 -0800 (PST) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 0EF7E43FB1 for ; Mon, 24 Feb 2003 18:35:23 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 74439 invoked by uid 1001); 25 Feb 2003 02:35:22 -0000 Date: Mon, 24 Feb 2003 21:35:22 -0500 From: "Peter C. Lai" To: Alexander Anderson Cc: freebsd-security@FreeBSD.ORG Subject: Re: FireDNS and net.inet.udp.log_in_vain Message-ID: <20030225023522.GC280@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <873cmmpc16.wl@bemidji.meridian-enviro.com> <1045544795.19726.3.camel@sambo.fud.org.nz> <20030222171054.GA97944@dusty.upful.org> <20030223193605.GD3812@gothmog.gr> <20030225022356.GA77462@dusty.upful.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030225022356.GA77462@dusty.upful.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org One way to do this is to stop using log_in_vain, and switch to a packet filter. There, you can selectively log for connections to everything except 53. (i.e. in ipfw, have the deny from any to any rule logged, so that everythign that isn't allowed would get logged, which would effectively be everything closed). The other way would be to postprocess your syslog and strip out attempted connections to port 53. On Mon, Feb 24, 2003 at 09:23:56PM -0500, Alexander Anderson wrote: > > > > > Connection attempt to UDP : from > > > > > :53 > > > > You must have enabled log_in_vain in your rc.conf, right? > > Yes, right. > > And I want to have it enabled because I do want to log all connection > attempts to ports that have no listening socket on them. The only exception > is when my ISP's name servers are slow or overloaded, and when they reply, > the local port is already closed, then I don't want to log their replies in > vain. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message