Odd PF Denied Message
Ian Smith
smithi at nimnet.asn.au
Fri Oct 19 03:30:31 PDT 2007
On Fri, 19 Oct 2007, Nikos Vassiliadis wrote:
> On Friday 19 October 2007 07:06:35 Ian Smith wrote:
> > On Thu, 18 Oct 2007 19:36:27 +0300 Nikos Vassiliadis wrote:
..
> > > I think log_in_vain can be used when configuring a firewall.
> > > Just to see quickly if your firewall works as expected and
> > > then turn it off. Otherwise it is just going to create tons
> > > of irrelevant log messages.
> >
> > On the contrary .. if your firewall is working correctly, you shouldn't
> > ever be seeing connection attempts to non-listening ports, especially
> > from outside.
>
> Hey, we are saying the same thing, aren't we?
Well, not exactly :) but I don't think we have any serious disagreement.
> > log_in_vain messages indicate some attention is needed,
> > either to block or reset those connections, or to provide a listener :)
> > so removing log_in_vain (shooting the messenger) may not be a good idea.
>
> Hm, almost the same thing. I tend to disagree with this. I prefer
> log_in_vain off because usually a server will live in a DMZ. And
> most of the time we donot bother runnning local firewalls one each
> server and some will say it's wrong to do firewalling on each/a server.
Some will. And some run only one server, and must be extra paranoid :)
> Just one firewall protecting the DMZ. Other computing systems
> living in the DMZ can cause noise, irrelevant log messages.
> I remember a case where delayed replies from the DNS server were
> logged by the kernel creating noise and bloating the logs.
> Ofcourse YMMV...
>
> But we basically say the same thing... Use log_in_vain to see what
> passes your firewall and "touches" your servers. I prefer to turn
> it off afterwards, Ian prefers to let it on.
Fair enough. I don't see any harm in leaving it on, as I tend to pay
attention to any 'irrelevant' messages and fix the source of them, and
if something slips by the firewall I want to know about it. Sometimes
that means such as delayed responses from DNS being logged, it's true.
In Michael's case in point it did indicate a problem though, or at least
a deficiency in the lack of handling ident requests. As you say, YMMV.
Cheers, Ian
More information about the freebsd-questions
mailing list