security

Stacey Roberts Sun, 27 Oct 2002 05:17:01 -0800

Hello,
     Within the last few minutes, my FreeBSD g'way reset itself. 

On coming up, I checked all available logs, and found the following in
/var/log/security:
Oct 27 12:59:22 Demon /kernel: ipfw: 910 Deny UDP 192.168.1.8:53
192.33.4.12:53 out via sis0
Oct 27 12:59:30 Demon last message repeated 8 times
Oct 27 12:59:34 Demon /kernel: ipfw: 910 Deny UDP 192.168.1.8:53
192.112.36.4:53 out via sis0
Oct 27 12:59:36 Demon /kernel: ipfw: 910 Deny UDP 192.168.1.8:53
192.112.36.4:53 out via sis0
Oct 27 12:59:36 Demon /kernel: Connection attempt to UDP 127.0.0.1:1077
from 127.0.0.1:53
Oct 27 12:59:36 Demon /kernel: Connection attempt to UDP 127.0.0.1:1076
from 127.0.0.1:53
Oct 27 12:59:36 Demon /kernel: Connection attempt to UDP 127.0.0.1:1075
from 127.0.0.1:53
Oct 27 12:59:36 Demon /kernel: Connection attempt to UDP 127.0.0.1:1074
from 127.0.0.1:53
Oct 27 12:59:36 Demon /kernel: Connection attempt to UDP 127.0.0.1:1073
from 127.0.0.1:53
Oct 27 12:59:36 Demon /kernel: Connection attempt to UDP 127.0.0.1:1071
from 127.0.0.1:53
Oct 27 12:59:36 Demon /kernel: Connection attempt to UDP 127.0.0.1:1072
from 127.0.0.1:53
Oct 27 12:59:38 Demon /kernel: ipfw: 910 Deny UDP 192.168.1.8:53
128.63.2.53:53 out via sis0
Oct 27 12:59:42 Demon /kernel: ipfw: 910 Deny UDP 192.168.1.8:53
128.9.0.107:53 out via sis0
Oct 27 12:59:44 Demon /kernel: Connection attempt to UDP 127.0.0.1:1078
from 127.0.0.1:53
Oct 27 12:59:46 Demon /kernel: ipfw: 910 Deny UDP 192.168.1.8:53
193.0.14.129:53 out via sis0
<Messages repeated here - snip>
Oct 27 13:00:06 Demon /kernel: ipfw: 910 Deny UDP 192.168.1.8:53
192.5.5.241:53 out via sis0
#


I recognised the remote addresses to be those of DNS root servers, to
verify:
# nslookup 192.203.230.10
Server:  localhost.vickiandstacey.com
Address:  127.0.0.1

Name:    E.ROOT-SERVERS.NET
Address:  192.203.230.10
#

Here's what I've got from running last:
Demon# last
stacey           ttyp0    :0               Sun Oct 27 12:57   still
logged in
stacey           ttyv0                     Sun Oct 27 12:56   still
logged in
reboot           ~                         Sun Oct 27 12:56
stacey           ttyp2    :0               Sun Oct 27 00:52 - 01:18 
(00:25)
stacey           ttyp0    :0               Sun Oct 27 00:18 - crash 
(13:37)
stacey           ttyp2    :0               Sat Oct 26 21:15 - 00:15 
(03:00)
stacey           ttyp2    :0               Fri Oct 25 20:59 - 23:02 
(02:02)
stacey           ttyp2    :0               Fri Oct 25 19:45 - 20:25 
(00:40)
stacey           ttyp1    :0               Wed Oct 23 22:50 - 23:19 
(00:29)
stacey           ttyp0    :0               Wed Oct 23 22:41 - 00:15
(3+01:34)

Is anyone able to point me to what went wrong here? I suspect its got
something to do with the tons of ipfw DENY messages, but I wouldn't know
where to start with this.

Here's the uname:
# uname -a
FreeBSD De<snip> 4.7-STABLE FreeBSD 4.7-STABLE #0: Sat Oct 12 10:04:03
BST 2002     root@<snip>.vickiandstacey.com:/usr/obj/usr/src/sys/FALCON 
i386
# 

I'm running named in a sandbox here, and would have thought that this
set-up would have prevented a crash of this nature (if it is indeed that
the crash is related to DNS)

Anything that you need, please let me know.

TIA
Stacey
-- 
Stacey Roberts
B.Sc (HONS) Computer Science

Web: www.vickiandstacey.com

signature.asc
Description: This is a digitally signed message part

FBSD 4.7 reset itself - lots of "DENY UDP" messages in/var/log/security

Reply via email to