Repeated connections to port 25 with firewall

Thomas T. Veldhouse veldy at veldy.net
Mon May 24 06:49:49 PDT 2004


From: "Jonathon McKitrick" <jcm at FreeBSD-uk.eu.org>
>
> This is probably a simple question with a simple answer, but I wasn't sure
> where to look.
>
> I recently installed a deny-all firewall and everything is working fine.
> However, I keep getting /kernel log messages about attempts to connect to
> port 25.  Are these just various processes trying to mail their results to
> root, but can't because of the firewall?  Or maybe cron doing the same
thing?
>
> May 24 08:00:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25
from
> 127.0.0.1:1101 flags:0x02
> May 24 08:00:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25
from
> 127.0.0.1:2270 flags:0x02
> May 24 08:05:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25
from
> 127.0.0.1:4230 flags:0x02
> May 24 08:10:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25
from
> 127.0.0.1:2687 flags:0x02
> May 24 08:15:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25
from
> 127.0.0.1:3274 flags:0x02
> May 24 08:20:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25
from
> 127.0.0.1:1542 flags:0x02
> May 24 08:25:00 neptune /kernel: Connection attempt to TCP 127.0.0.1:25
from
> 127.0.0.1:3652 flags:0x02
>
>

You should allow all traffic on your loopback device by default.  Much like
this (for IPFILTER)

pass in quick on lo0 all
pass out quick on lo0 all

It would also be good to block spoofed traffic if you allowing connectivity
to the internet or other unprotected networks.

#
# Deny reserved addresses.
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100

#
# prevent IP spoofing.
#
block in log quick from me to any group 100

BTW ... group 100 is "inbound packets on the public interface".

Tom Veldhouse




More information about the freebsd-questions mailing list