Date: Thu, 18 Mar 1999 21:09:11 +0100 (MET) From: Martin Machacek <mm@i.cz> To: freebsd-security@FreeBSD.ORG Subject: RE: unknown connection attempts from localhost Message-ID: <XFMail.990318210911.mm@i.cz> In-Reply-To: <19990318182128.MNSH682101.mta1-rme@wocker>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18-Mar-99 Dan Langille wrote:
> I have recently turned on the log_in_vain stuff using the following:
>
> sysctl -w net.inet.tcp.log_in_vain=1
> sysctl -w net.inet.udp.log_in_vain=1
>
> Since then, I've been entries in my log which I don't understand:
>
> Mar 17 21:36:44 ns /kernel: Connection attempt to UDP 127.0.0.1:1645 from
> 127.0.0.1:53
> Mar 17 22:14:41 ns /kernel: Connection attempt to UDP 127.0.0.1:1739 from
> 127.0.0.1:53
> Mar 18 02:30:10 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from
> 127.0.0.1:2191
> Mar 18 02:30:16 ns /kernel: Connection attempt to UDP 127.0.0.1:512 from
> 127.0.0.1:2192
>
> There's a large number that look like the first two. To me it looks like
> the DNS server tried to connection back to a request that came in on port
> 1645/1739. Say what?
>
> The box in question is used as a name server and is a gateway/firewall box
> running IP Filter and does NAT, runs sendmail, etc.
Does it run squid? I'm seeing lot of those messages on my firewall too. My
current prime suspect is the dnsserver, that is being started and used by
squid. It appears to me that it sets very short timeout for DNS queries and
closes the socket when the timeout expires. Unfortunately it takes quite a
while to resolve some DNS names because the external connection is pretty
oveloaded. So, the "late" replies from named (running on the same machine) come
to late and end up in "vain". I'm not completely satisfied with this
explanation but I currently have no time to investigate the phenomenon. Anybody
has gone through this already? BTW, the same happens on firewalls with Gauntlet
running on BSDI.
Martin
---
[PGP KeyID F3F409C4]]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990318210911.mm>