From owner-freebsd-security  Thu Dec  6  4:50:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77])
	by hub.freebsd.org (Postfix) with ESMTP id EC08E37B416
	for <security@freebsd.org>; Thu,  6 Dec 2001 04:50:17 -0800 (PST)
Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1)
	id 16By0m-000Ipk-00
	for security@freebsd.org; Thu, 06 Dec 2001 12:52:24 +0000
Date: Thu, 6 Dec 2001 12:52:24 +0000
From: Rasputin <rasputin@submonkey.net>
To: security@freebsd.org
Subject: ipf and log_in_vain
Message-ID: <20011206125224.A72358@shikima.mine.nu>
Reply-To: Rasputin <rasputin@submonkey.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Hi there

I've been getting *buttloads* of messages like:

Connection attempt to UDP 62.252.49.77:2716 from 194.168.4.100:53
Connection attempt to UDP 62.252.49.77:2736 from 194.168.4.100:53
Connection attempt to UDP 62.252.49.77:2759 from 194.168.8.100:53
Connection attempt to UDP 62.252.49.77:2779 from 194.168.8.100:53

for ages, and decided it's time to fix it
(for one thing it makes the daily security mails from cron hard to read through)

I understand this is down to log_in_vain sysctls, but since I run ipf I wonder
why the kernel is seeing these at all?

My understanding is that ipf should be keeping these packets out (possibly logging them
itself) before they get into the part of the kernel that handles log_in_vain.

If that's the case, I'm assuming that the reason they manage to pass through is
because keep-state directives in ipf.conf are still treating packets returned from
(e.g.) DNS queries as part of an existing session.

Is this right, and if so, how do I drop the time an idle session is marked as active
(the default is on the order of days, IIRC)?

There are also a lot of messages like this generated by localhost but that's not 
ipf's fault (since loopback is wide open).

-- 
Rasputin :: Jack of All Trades - Master of Nuns ::

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message