From owner-freebsd-security  Tue Mar 23  1:46:10 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1])
	by hub.freebsd.org (Postfix) with ESMTP id C165914C4E
	for <freebsd-security@FreeBSD.ORG>; Tue, 23 Mar 1999 01:46:05 -0800 (PST)
	(envelope-from junkmale@pop3.xtra.co.nz)
Received: from wocker ([210.55.164.76]) by mta1-rme.xtra.co.nz
          (InterMail v04.00.02.07 201-227-108) with SMTP
          id <19990323094649.CJVN4957949.mta1-rme@wocker>;
          Tue, 23 Mar 1999 21:46:49 +1200
From: "Dan Langille" <junkmale@xtra.co.nz>
Organization: The FreeBSD Diary
To: Warren Toomey <wkt@henry.cs.adfa.edu.au>
Date: Tue, 23 Mar 1999 21:46:01 +1200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: unknown connection attempts from localhost
Reply-To: junkmale@xtra.co.nz
Cc: freebsd-security@FreeBSD.ORG
In-reply-to: <199903182305.KAA10759@henry.cs.adfa.edu.au>
References: <000001be7191$b78e5e70$0a0010ac@ren.craxx.com> from laurens van alphen at "Mar 18, 1999 11:50:27 pm"
X-mailer: Pegasus Mail for Win32 (v3.01d)
Message-Id: <19990323094649.CJVN4957949.mta1-rme@wocker>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 19 Mar 99, at 10:05, Warren Toomey wrote:

> > > [snip] Connection attempt to UDP 127.0.0.1:1645 from 127.0.0.1:53
> > > [snip] Connection attempt to UDP 127.0.0.1:1739 from 127.0.0.1:53
> 
> Usually a reply to a DNS request from your machine. Your client has
> timed out, but the reply from the server still comes back. There
> just isn't anybody there to receive it.

I was looking at my kernel.log last night when I realised I was getting 
these messages whenever my security logs were mailed out to me.  Then I 
remembered I was also having trouble with my ADSL modem.  The two issues 
are linked.  At present, this is just a theory, so I'd like feedback on 
whether or not the list thinks this is what is actually happening.

My topology looks something like this:

210.55.164.76 assigned by DHCP server at my ISP
  |
ADSL Modem 
  |
192.168.1.254
  |
  |
192.168.0.1 as assigned via DHCP by the modem (ed0)
  |
FreeBSD 
  |
192.168.0.156 static (ed1)
  |
  |
 my Hub


The adsl modem contains a firewall, DHCP server, and does NAT.  It's a 
Nokia M10.  The fireall therein allows for only 8 pinholes.  So I have 
http, telnet, dns, and mail coming in/out, but that's it.  I run a DNS for 
freebsddiary.cx on the FreeBSD box.  When a request comes for that DNS I 
think it's actually going from the FreeBSD box, out to the ADSL modem 
which tries to send it back in again, but it's blocked by the modem's 
firewall because it's come from inside (i.e the modem thinks it's a 
spoofed packet).  This causes the timeout and hence the entries in 
kernel.log.

I have similar problems when browsing to my own websites.  I can't get to 
http://www.freebsddiary.cx, but you can.  It's because of the firewall in 
the modem.  My ISP has acknowledge the problem and are "looking into it".

Today I was toying with adding routing or redirect information so that 
such requests never leave the FreeBSD box.  I'm running ipfilter on the 
freebsd box so doing that should be pretty straight forward.  But that's 
for another day.

cheers

--
Dan Langille
The FreeBSD Diary
http://www.FreeBSDDiary.com/freebsd


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message