Date: Thu, 6 Dec 2001 12:52:24 +0000 From: Rasputin <rasputin@submonkey.net> To: security@freebsd.org Subject: ipf and log_in_vain Message-ID: <20011206125224.A72358@shikima.mine.nu>
next in thread | raw e-mail | index | archive | help
Hi there I've been getting *buttloads* of messages like: Connection attempt to UDP 62.252.49.77:2716 from 194.168.4.100:53 Connection attempt to UDP 62.252.49.77:2736 from 194.168.4.100:53 Connection attempt to UDP 62.252.49.77:2759 from 194.168.8.100:53 Connection attempt to UDP 62.252.49.77:2779 from 194.168.8.100:53 for ages, and decided it's time to fix it (for one thing it makes the daily security mails from cron hard to read through) I understand this is down to log_in_vain sysctls, but since I run ipf I wonder why the kernel is seeing these at all? My understanding is that ipf should be keeping these packets out (possibly logging them itself) before they get into the part of the kernel that handles log_in_vain. If that's the case, I'm assuming that the reason they manage to pass through is because keep-state directives in ipf.conf are still treating packets returned from (e.g.) DNS queries as part of an existing session. Is this right, and if so, how do I drop the time an idle session is marked as active (the default is on the order of days, IIRC)? There are also a lot of messages like this generated by localhost but that's not ipf's fault (since loopback is wide open). -- Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011206125224.A72358>