Help with "Connection attempt to UDP" logs and my firewall.

labrocca

Verified User
Joined
Mar 12, 2006
Messages
130
This is a very consistent message in my logs (/var/log/messages). How do I firewall this out? I use ipfw and freebsd.

Feb 20 20:24:50 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:54120
Feb 20 20:24:50 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:49660
Feb 20 20:24:50 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:49661
Feb 20 20:24:50 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:54594
Feb 20 20:25:02 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:59400
Feb 20 20:25:02 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:58385
Feb 20 20:25:13 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:65044
Feb 20 20:25:14 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:64506
Feb 20 20:25:19 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:60665
Feb 20 20:25:19 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:54429
Feb 20 20:25:19 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:52896
Feb 20 20:25:19 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:55425
Feb 20 20:25:19 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:61704
Feb 20 20:25:19 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:61705
Feb 20 20:25:19 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:61706
Feb 20 20:25:19 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:61707
Feb 20 20:25:25 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:51328
Feb 20 20:25:26 ns1 kernel: Connection attempt to UDP [::0001]:53 from [::0001]:65493


Here are my firewall rules:

#################################################
# ipfw Firewall Commands
#################################################
cmd="ipfw -q add"
ipfw -q -f flush

#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$cmd allow all from any to any via lo0
$cmd deny all from any to 127.0.0.0/8
$cmd deny all from 127.0.0.0/8 to any
$cmd deny tcp from any to any frag

#bad guys
$cmd deny ip from 217.160.240.78 to me

#################################################
# Stateful rules
#################################################
$cmd check-state
$cmd deny tcp from any to any established
$cmd allow all from any to any out keep-state
$cmd allow icmp from any to any

#################################################
# Incoming/Outgoing Services
#################################################
$cmd allow tcp from any to any 21 setup keep-state
$cmd allow tcp from any to any 22 setup keep-state
$cmd allow tcp from any to any 25 setup keep-state
$cmd allow tcp from any to any 53 setup keep-state
$cmd allow udp from any to any 53 keep-state
$cmd allow tcp from any to any 80 setup keep-state
$cmd allow tcp from any to any 110 setup keep-state
$cmd allow tcp from any to any 143 setup keep-state
$cmd allow tcp from any to any 443 setup keep-state
$cmd allow tcp from any to any 2222 setup keep-state
$cmd allow tcp from any to any 32555-32565 in setup keep-state


#################################################
# Deny and Log
#################################################
$cmd deny log all from any to any

Any help is appreciated.

EDIT: found out this is being caused by sysctl and the net.inet.udp.log_in_vain parameter being turned on. I have turned it off for now but would rather have it on and these packets dropped completely or firewalled. I count about 2 per second on my server.
 
Last edited:
To add to chatwizrd's reply: it's an IPv6 connection from localhost to your BIND port.

It's most likely harmless. You can disable IPv6 if you don't need it.

Jeff
 
Thanks for help sirs. I rebuilt the kernel without any IPv6 support and shut it off in rc.conf as well...seems to have fixed the problem.

Thanks.


EDIT:

Doh...now I get this:

Feb 25 14:15:43 ns1 kernel: Connection attempt to UDP 127.0.0.1:61266 from 127.0.0.1:53
Feb 25 14:15:43 ns1 kernel: Connection attempt to UDP 66.36.237.161:53406 from 66.36.237.161:53
Feb 25 14:15:43 ns1 kernel: Connection attempt to UDP 127.0.0.1:61266 from 127.0.0.1:53
Feb 25 14:15:43 ns1 kernel: Connection attempt to UDP 66.36.237.161:53406 from 66.36.237.161:53
Feb 25 14:17:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:56639 from 127.0.0.1:53
Feb 25 14:18:15 ns1 kernel: Connection attempt to UDP 127.0.0.1:56639 from 127.0.0.1:53
Feb 25 14:22:43 ns1 kernel: Connection attempt to UDP 127.0.0.1:43000 from 127.0.0.1:53
Feb 25 14:24:36 ns1 kernel: Connection attempt to UDP 127.0.0.1:3108 from 127.0.0.1:53

So...are these DNS spoof attempts or is there a configuration problem?
 
Last edited:
It appears your local /etc/resolv.conf has localhost in it.

It's contacting localhost:53 (the way a system does a DNS lookup is via UDP/53).

The high port numbers it comes from, is just the random port (> 1024) that is being used.

You are not beeing spoofed, your system is just attempting to lookup DNS domains.

You need to allow localhost in your firewall rules.
 
Last edited:
It appears your local /etc/resolv.conf has localhost in it.

It's contacting localhost:53 (the way a system does a DNS lookup is via UDP/53).

The high port numbers it comes from, is just the random port (> 1024) that is being used.

You are not beeing spoofed, your system is just attempting to lookup DNS domains.

You need to allow localhost in your firewall rules.

$cmd allow all from any to any via lo0

Doesn't that rule allow localhost? Thanks for your help.
 
I imagine you're having it overwritten by the latter commands:

Code:
$cmd deny all from 127.0.0.0/8 to any
$cmd deny all from any to 127.0.0.0/8

Order may be the key here.
 
Back
Top