From owner-freebsd-questions@FreeBSD.ORG Fri Oct 19 07:14:26 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5CF216A418 for ; Fri, 19 Oct 2007 07:14:26 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from smtp.teledomenet.gr (smtp.teledomenet.gr [213.142.128.2]) by mx1.freebsd.org (Postfix) with ESMTP id A629C13C461 for ; Fri, 19 Oct 2007 07:14:26 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: by smtp.teledomenet.gr (Postfix, from userid 58) id C5585142286; Fri, 19 Oct 2007 10:14:25 +0300 (EEST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on smtp.teledomenet.gr X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.2.3 Received: from iris (unknown [192.168.1.71]) by smtp.teledomenet.gr (Postfix) with ESMTP id C567A142292; Fri, 19 Oct 2007 10:14:22 +0300 (EEST) From: Nikos Vassiliadis To: Ian Smith Date: Fri, 19 Oct 2007 10:09:28 +0300 User-Agent: KMail/1.9.7 References: In-Reply-To: X-NCC-RegID: gr.telehouse MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200710191009.28995.nvass@teledomenet.gr> Cc: "Michael K. Smith - Adhost" , freebsd-questions@freebsd.org Subject: Re: Odd PF Denied Message X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2007 07:14:27 -0000 On Friday 19 October 2007 07:06:35 Ian Smith wrote: > On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote: > > If that's the only message you get > > you must be protected, at least packet_filtering-wise. Here ^^^^ > > I think log_in_vain can be used when configuring a firewall. > > Just to see quickly if your firewall works as expected and > > then turn it off. Otherwise it is just going to create tons > > of irrelevant log messages. > > On the contrary .. if your firewall is working correctly, you shouldn't > ever be seeing connection attempts to non-listening ports, especially > from outside. Hey, we are saying the same thing, aren't we? > log_in_vain messages indicate some attention is needed, > either to block or reset those connections, or to provide a listener :) > so removing log_in_vain (shooting the messenger) may not be a good idea. Hm, almost the same thing. I tend to disagree with this. I prefer log_in_vain off because usually a server will live in a DMZ. And most of the time we donot bother runnning local firewalls one each server and some will say it's wrong to do firewalling on each/a server. Just one firewall protecting the DMZ. Other computing systems living in the DMZ can cause noise, irrelevant log messages. I remember a case where delayed replies from the DNS server were logged by the kernel creating noise and bloating the logs. Ofcourse YMMV... But we basically say the same thing... Use log_in_vain to see what passes your firewall and "touches" your servers. I prefer to turn it off afterwards, Ian prefers to let it on. Cheers Nikos