Odd PF Denied Message

Ian Smith smithi at nimnet.asn.au
Thu Oct 18 21:06:51 PDT 2007

On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote:
 > On Thursday 18 October 2007 18:39:56 Michael K. Smith - Adhost wrote:
 > > Thank you for the clue!  We are using log in vain as part of our
 > > security logging for this particular box, but this is the only message
 > > I've ever seen so I'm not sure it's really needed.
 > It must be a local program trying to connect to ident.

Yes, quite likely sendmail sending daily etc reports?  You can either
run a (real or fake) ident daemon (see inetd.conf), or have the firewall
reset (not drop) such connections, avoiding sendmail(ono) delays waiting
for a response.  If running a mailserver, this applies to outside too. 

 > Probably nothing to worry about. I would check which is
 > this program though. If that's the only message you get
 > you must be protected, at least packet_filtering-wise.
 > I think log_in_vain can be used when configuring a firewall.
 > Just to see quickly if your firewall works as expected and
 > then turn it off. Otherwise it is just going to create tons
 > of irrelevant log messages.

On the contrary .. if your firewall is working correctly, you shouldn't
ever be seeing connection attempts to non-listening ports, especially
from outside.  log_in_vain messages indicate some attention is needed,
either to block or reset those connections, or to provide a listener :) 
so removing log_in_vain (shooting the messenger) may not be a good idea.

Cheers, Ian

More information about the freebsd-questions mailing list