From owner-freebsd-questions@FreeBSD.ORG  Fri Oct 19 04:06:51 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DC94816A417
	for <freebsd-questions@freebsd.org>;
	Fri, 19 Oct 2007 04:06:51 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.freebsd.org (Postfix) with ESMTP id 7AAEA13C448
	for <freebsd-questions@freebsd.org>;
	Fri, 19 Oct 2007 04:06:50 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id OAA26678;
	Fri, 19 Oct 2007 14:06:36 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Fri, 19 Oct 2007 14:06:35 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Nikos Vassiliadis <nvass@teledomenet.gr>
In-Reply-To: <20071018182512.ABD2B16A4F0@hub.freebsd.org>
Message-ID: <Pine.BSF.3.96.1071019132823.23569A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: "Michael K. Smith - Adhost" <mksmith@adhost.com>,
	freebsd-questions@freebsd.org
Subject: Re: Odd PF Denied Message
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2007 04:06:51 -0000

On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote:
 > On Thursday 18 October 2007 18:39:56 Michael K. Smith - Adhost wrote:
 > > Thank you for the clue!  We are using log in vain as part of our
 > > security logging for this particular box, but this is the only message
 > > I've ever seen so I'm not sure it's really needed.
 > 
 > It must be a local program trying to connect to ident.

Yes, quite likely sendmail sending daily etc reports?  You can either
run a (real or fake) ident daemon (see inetd.conf), or have the firewall
reset (not drop) such connections, avoiding sendmail(ono) delays waiting
for a response.  If running a mailserver, this applies to outside too. 

 > Probably nothing to worry about. I would check which is
 > this program though. If that's the only message you get
 > you must be protected, at least packet_filtering-wise.
 >
 > I think log_in_vain can be used when configuring a firewall.
 > Just to see quickly if your firewall works as expected and
 > then turn it off. Otherwise it is just going to create tons
 > of irrelevant log messages.

On the contrary .. if your firewall is working correctly, you shouldn't
ever be seeing connection attempts to non-listening ports, especially
from outside.  log_in_vain messages indicate some attention is needed,
either to block or reset those connections, or to provide a listener :) 
so removing log_in_vain (shooting the messenger) may not be a good idea.

Cheers, Ian