Date: Fri, 19 Oct 2007 10:09:28 +0300 From: Nikos Vassiliadis <nvass@teledomenet.gr> To: Ian Smith <smithi@nimnet.asn.au> Cc: "Michael K. Smith - Adhost" <mksmith@adhost.com>, freebsd-questions@freebsd.org Subject: Re: Odd PF Denied Message Message-ID: <200710191009.28995.nvass@teledomenet.gr> In-Reply-To: <Pine.BSF.3.96.1071019132823.23569A-100000@gaia.nimnet.asn.au> References: <Pine.BSF.3.96.1071019132823.23569A-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 19 October 2007 07:06:35 Ian Smith wrote: > On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote: > > If that's the only message you get > > you must be protected, at least packet_filtering-wise. Here ^^^^ > > I think log_in_vain can be used when configuring a firewall. > > Just to see quickly if your firewall works as expected and > > then turn it off. Otherwise it is just going to create tons > > of irrelevant log messages. > > On the contrary .. if your firewall is working correctly, you shouldn't > ever be seeing connection attempts to non-listening ports, especially > from outside. Hey, we are saying the same thing, aren't we? > log_in_vain messages indicate some attention is needed, > either to block or reset those connections, or to provide a listener :) > so removing log_in_vain (shooting the messenger) may not be a good idea. Hm, almost the same thing. I tend to disagree with this. I prefer log_in_vain off because usually a server will live in a DMZ. And most of the time we donot bother runnning local firewalls one each server and some will say it's wrong to do firewalling on each/a server. Just one firewall protecting the DMZ. Other computing systems living in the DMZ can cause noise, irrelevant log messages. I remember a case where delayed replies from the DNS server were logged by the kernel creating noise and bloating the logs. Ofcourse YMMV... But we basically say the same thing... Use log_in_vain to see what passes your firewall and "touches" your servers. I prefer to turn it off afterwards, Ian prefers to let it on. Cheers Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710191009.28995.nvass>