Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Aug 1999 03:19:42 +1000
From:      Greg Black <gjb-freebsd@gba.oz.au>
To:        Doug White <dwhite@resnet.uoregon.edu>
Cc:        Donald Burr <dburr@Powered-By.AC>, FreeBSD Questions <freebsd-questions@FreeBSD.ORG>, FreeBSD Security <freebsd-security@FreeBSD.ORG>
Subject:   Re: umountall requests - what does this all mean? 
Message-ID:  <19990811171943.8382.qmail@alice.gba.oz.au>
In-Reply-To: <Pine.BSF.4.10.9908091639070.1164-100000@resnet.uoregon.edu>  of Mon, 09 Aug 1999 16:39:42 MST
References:  <Pine.BSF.4.10.9908091639070.1164-100000@resnet.uoregon.edu> 

next in thread | previous in thread | raw e-mail | index | archive | help
Doug White writes:

> > Aug  7 19:04:49 60-Hz mountd[150]: umountall request from 207.71.226.193 from unprivileged port
> > 
> > 207.71.226.193 is the IP addressed assigned to me by my ADSL provider, so
> > I can only assume that these packets are coming in through the ADSL modem.
> > 
> > What do these messages mean, and should I be worried about them?  And how
> > do I block them?
> 
> What IP is 60-Hz?  
> 
> It's probably another machine trying to dismount partitions and mountd
> doesn't recognize it.  Probably harmless.

I got some similar messages on a 3.2 box a couple of days ago.
At the time it was connected only to my home LAN and no machines
outside of my office were physically connected to the LAN for
some hours before or after the messages appeared.  I was doing
some NFS mounts to that box, but there was no genuine umount
request at the time the message appeared.  In fact, now that I
check the log, the IP that the alleged request came from was the
IP of the host that complained -- there was no umount ever done
on the box that day.

I would have looked at it a bit harder, but I was in the middle
of determining why the box was suffering repeated panics.  Since
each panic took 45 minutes to induce and it took ten panics and
a few new kernels to find a solution and a few more iterations
of my test to feel confident that the panics were over, and this
minor detail got ignored.

The umountall notices came in the following sequence [I've
folded long lines and indented the continuations]:

Aug 10 12:30:37 bambi /kernel: changing root device to wd0s1a
Aug 10 12:30:37 bambi named[102]: starting.  named 8.1.2 Tue May 18
    03:29:06 GMT 1999   jkh@cathair:/usr/obj/usr/src/usr.sbin/named
Aug 10 12:30:37 bambi named[103]: Ready to answer queries.
Aug 10 12:31:33 bambi login: ROOT LOGIN (root) ON ttyv0
Aug 10 12:54:39 bambi mountd[120]: umountall request from
    192.168.1.12 from unprivileged port
Aug 10 12:54:43 bambi mountd[120]: umountall request from
    192.168.1.12 from unprivileged port
Aug 10 13:05:21 bambi mountd[120]: mount request succeeded from
    192.168.1.52 for /gba2
Aug 10 13:37:16 bambi /kernel: Out of mbuf clusters - adjust
    NMBCLUSTERS or increase maxusers!
Aug 10 13:37:16 bambi /kernel: xl0: no memory for rx list --
    packet dropped!

The first line is the end of the immediately previous reboot
after the previous panic.  The log continues in full up to the
next panic.  The root login at 12:31 was genuine and it was
partly to ensure that the DNS stuff was all working correctly.
The IP of the machine in question (bambi) was 192.168.1.12.  The
two umountall lines from that same IP at 12:54:{39,43} were
spurious.  The mount from 192.168.1.52 was the NFS mount that I
ran as part of the next test that was destined to crash the
machine 32 minutes later when it ran out of mbufs.  Nothing else
was happening at the time.  These messages did not appear during
any other tests.

-- 
Greg Black -- <gjb@acm.org>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990811171943.8382.qmail>