Re: Odd PF Denied Message
On Friday 19 October 2007 07:06:35 Ian Smith wrote: On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote: If that's the only message you get you must be protected, at least packet_filtering-wise. Here I think log_in_vain can be used when configuring a firewall. Just to see quickly if your firewall works as expected and then turn it off. Otherwise it is just going to create tons of irrelevant log messages. On the contrary .. if your firewall is working correctly, you shouldn't ever be seeing connection attempts to non-listening ports, especially from outside. Hey, we are saying the same thing, aren't we? log_in_vain messages indicate some attention is needed, either to block or reset those connections, or to provide a listener :) so removing log_in_vain (shooting the messenger) may not be a good idea. Hm, almost the same thing. I tend to disagree with this. I prefer log_in_vain off because usually a server will live in a DMZ. And most of the time we donot bother runnning local firewalls one each server and some will say it's wrong to do firewalling on each/a server. Just one firewall protecting the DMZ. Other computing systems living in the DMZ can cause noise, irrelevant log messages. I remember a case where delayed replies from the DNS server were logged by the kernel creating noise and bloating the logs. Ofcourse YMMV... But we basically say the same thing... Use log_in_vain to see what passes your firewall and touches your servers. I prefer to turn it off afterwards, Ian prefers to let it on. Cheers Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Odd PF Denied Message
On Fri, 19 Oct 2007, Nikos Vassiliadis wrote: On Friday 19 October 2007 07:06:35 Ian Smith wrote: On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote: .. I think log_in_vain can be used when configuring a firewall. Just to see quickly if your firewall works as expected and then turn it off. Otherwise it is just going to create tons of irrelevant log messages. On the contrary .. if your firewall is working correctly, you shouldn't ever be seeing connection attempts to non-listening ports, especially from outside. Hey, we are saying the same thing, aren't we? Well, not exactly :) but I don't think we have any serious disagreement. log_in_vain messages indicate some attention is needed, either to block or reset those connections, or to provide a listener :) so removing log_in_vain (shooting the messenger) may not be a good idea. Hm, almost the same thing. I tend to disagree with this. I prefer log_in_vain off because usually a server will live in a DMZ. And most of the time we donot bother runnning local firewalls one each server and some will say it's wrong to do firewalling on each/a server. Some will. And some run only one server, and must be extra paranoid :) Just one firewall protecting the DMZ. Other computing systems living in the DMZ can cause noise, irrelevant log messages. I remember a case where delayed replies from the DNS server were logged by the kernel creating noise and bloating the logs. Ofcourse YMMV... But we basically say the same thing... Use log_in_vain to see what passes your firewall and touches your servers. I prefer to turn it off afterwards, Ian prefers to let it on. Fair enough. I don't see any harm in leaving it on, as I tend to pay attention to any 'irrelevant' messages and fix the source of them, and if something slips by the firewall I want to know about it. Sometimes that means such as delayed responses from DNS being logged, it's true. In Michael's case in point it did indicate a problem though, or at least a deficiency in the lack of handling ident requests. As you say, YMMV. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Odd PF Denied Message
Hello All: We're getting a ton of these. +Connection attempt to TCP 127.0.0.1:113 from 127.0.0.1:52655 flags:0x02 We've basically allowed all traffic to and from 127.0.0.1 in our ruleset, but nothing seems to work. Does anyone have a magic bullet to make this go away? Thanks for any help! Regards, Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Odd PF Denied Message
On Thursday 18 October 2007 17:59:49 Michael K. Smith - Adhost wrote: Hello All: We're getting a ton of these. +Connection attempt to TCP 127.0.0.1:113 from 127.0.0.1:52655 flags:0x02 This doesn't look like a pf(4) message. This looks like sysctl net.inet.tcp.log_in_vain is 1. It logs every connection attempt to a non-listening TCP port. We've basically allowed all traffic to and from 127.0.0.1 in our ruleset, but nothing seems to work. Does anyone have a magic bullet to make this go away? Yes, set the afore-mentioned sysctl to 0. Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Odd PF Denied Message
Hello Nikos: -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Thursday, October 18, 2007 9:30 AM To: freebsd-questions@freebsd.org Cc: Michael K. Smith - Adhost Subject: Re: Odd PF Denied Message On Thursday 18 October 2007 17:59:49 Michael K. Smith - Adhost wrote: Hello All: We're getting a ton of these. +Connection attempt to TCP 127.0.0.1:113 from 127.0.0.1:52655 flags:0x02 This doesn't look like a pf(4) message. This looks like sysctl net.inet.tcp.log_in_vain is 1. It logs every connection attempt to a non-listening TCP port. We've basically allowed all traffic to and from 127.0.0.1 in our ruleset, but nothing seems to work. Does anyone have a magic bullet to make this go away? Yes, set the afore-mentioned sysctl to 0. Thank you for the clue! We are using log in vain as part of our security logging for this particular box, but this is the only message I've ever seen so I'm not sure it's really needed. Regards, Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Odd PF Denied Message
On Thursday 18 October 2007 18:39:56 Michael K. Smith - Adhost wrote: Thank you for the clue! We are using log in vain as part of our security logging for this particular box, but this is the only message I've ever seen so I'm not sure it's really needed. It must be a local program trying to connect to ident. Probably nothing to worry about. I would check which is this program though. If that's the only message you get you must be protected, at least packet_filtering-wise. I think log_in_vain can be used when configuring a firewall. Just to see quickly if your firewall works as expected and then turn it off. Otherwise it is just going to create tons of irrelevant log messages. Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Odd PF Denied Message
Michael K. Smith - Adhost [EMAIL PROTECTED] writes: We've basically allowed all traffic to and from 127.0.0.1 in our ruleset, but nothing seems to work. Does anyone have a magic bullet to make this go away? set skip on lo0 is not the default, but essentially the only sane way to go. See if that doesn't help -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Odd PF Denied Message
On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote: On Thursday 18 October 2007 18:39:56 Michael K. Smith - Adhost wrote: Thank you for the clue! We are using log in vain as part of our security logging for this particular box, but this is the only message I've ever seen so I'm not sure it's really needed. It must be a local program trying to connect to ident. Yes, quite likely sendmail sending daily etc reports? You can either run a (real or fake) ident daemon (see inetd.conf), or have the firewall reset (not drop) such connections, avoiding sendmail(ono) delays waiting for a response. If running a mailserver, this applies to outside too. Probably nothing to worry about. I would check which is this program though. If that's the only message you get you must be protected, at least packet_filtering-wise. I think log_in_vain can be used when configuring a firewall. Just to see quickly if your firewall works as expected and then turn it off. Otherwise it is just going to create tons of irrelevant log messages. On the contrary .. if your firewall is working correctly, you shouldn't ever be seeing connection attempts to non-listening ports, especially from outside. log_in_vain messages indicate some attention is needed, either to block or reset those connections, or to provide a listener :) so removing log_in_vain (shooting the messenger) may not be a good idea. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]