Odd PF Denied Message

Nikos Vassiliadis nvass at teledomenet.gr
Fri Oct 19 00:14:27 PDT 2007

On Friday 19 October 2007 07:06:35 Ian Smith wrote:
> On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote:
>  > If that's the only message you get
>  > you must be protected, at least packet_filtering-wise.

Here ^^^^

>  > I think log_in_vain can be used when configuring a firewall.
>  > Just to see quickly if your firewall works as expected and
>  > then turn it off. Otherwise it is just going to create tons
>  > of irrelevant log messages.
> On the contrary .. if your firewall is working correctly, you shouldn't
> ever be seeing connection attempts to non-listening ports, especially
> from outside. 

Hey, we are saying the same thing, aren't we?

> log_in_vain messages indicate some attention is needed, 
> either to block or reset those connections, or to provide a listener :)
> so removing log_in_vain (shooting the messenger) may not be a good idea.

Hm, almost the same thing. I tend to disagree with this. I prefer
log_in_vain off because usually a server will live in a DMZ. And
most of the time we donot bother runnning local firewalls one each
server and some will say it's wrong to do firewalling on each/a server.
Just one firewall protecting the DMZ. Other computing systems
living in the DMZ can cause noise, irrelevant log messages.
I remember a case where delayed replies from the DNS server were
logged by the kernel creating noise and bloating the logs.
Ofcourse YMMV...

But we basically say the same thing... Use log_in_vain to see what
passes your firewall and "touches" your servers. I prefer to turn
it off afterwards, Ian prefers to let it on.



More information about the freebsd-questions mailing list