From owner-freebsd-security@FreeBSD.ORG Fri Jan 9 15:08:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCD7D16A4CE for ; Fri, 9 Jan 2004 15:08:04 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 512BF43D1D for ; Fri, 9 Jan 2004 15:08:03 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD) id 1Af5jV-0000cZ-SM; Fri, 09 Jan 2004 23:08:01 +0000 Date: Fri, 9 Jan 2004 23:08:01 +0000 From: Jez Hancock To: Alexandre Krasnov Message-ID: <20040109230801.GE1488@users.munk.nu> Mail-Followup-To: Alexandre Krasnov , Jez Hancock , freebsd-security@freebsd.org References: <1775511953.20040109173220@tern.ru> <20040109144956.GB87284@users.munk.nu> <1839710842.20040109181325@tern.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1839710842.20040109181325@tern.ru> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Problem with DNS (UDP) queries X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 23:08:04 -0000 On Fri, Jan 09, 2004 at 06:13:25PM +0300, freebsd@tern.ru wrote: > Yes, I had thought about what you wrote. > Because of this I mentioned that 'I do not want to turn off the "log > in vain" feature.' In that case I imagine you'd need to hack the kernel source code to make it not log vain udp port 53 requests. I'm fairly sure it's an 'all or nothing' sysctl mib/flag. Why do you want to log those vain connection attempts using 'log_in_vain' though? It would be a lot more suitable to use the logging feature in ipfw2 and disable the log_in_vain feature completely. Just my opinion though :P > JH> On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd@tern.ru wrote: > >> Hi all > >> > >> I am trying to get rid of strings: > >> kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53 > >> on my console and in log file > >> > >> I understand that those are replies on DNS queries that for some reason > >> took too long time to be answered. > >> I do not want to turn off the "log in vain" feature. > >> > >> As these strings fill up my log I am afraid to miss some sensitive > >> messages (e.g. hacker's attack :) > >> > >> I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both > >> DNS queries and DNS replies. > >> > >> The main application that generates queries is sendmail. > >> > >> What can be done? > JH> I believe those messages are generated if the following sysctl flag is > JH> set: > > JH> net.inet.udp.log_in_vain > > JH> you can disable it by executing: > > JH> sysctl net.inet.udp.log_in_vain=0 > > JH> on the commandline. > > JH> Obviously though this will disable logging of all vain connection attempts using > JH> the udp protocol. However if you have ipfw set up to log such attempts, > JH> you don't really need that sysctl flag set anyway. > > JH> See also the tcp equivalant flag: > > JH> net.inet.tcp.log_in_vain > > JH> also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf > JH> setting. > > Alex. > > -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - personal weblog http://ipfwstats.sf.net/ - ipfw peruser traffic logging