Name lookup strageness

From: dfinkelstein@rsasecurity.com
Date: 04/04/01 

From: dfinkelstein@rsasecurity.com
To: freebsd-security@freebsd.org
Date: Wed, 04 Apr 2001 09:10:05 -0700

Greetings,

I've seen something strange on my box and I was hoping somebody could
provide some insight.

I'm running a 4.1.1 install with the patch for ipfw "established"
rules (advisory FreeBSD-SA-01:08). The box runs ipfw and natd. I run
no servers (no sendmail, bind, etc.) except for sshd and lpd; I have
firewall rules that prohibit connections to these services unless the
connection came from my internal network.

I do name lookups to my ISP's name servers (my firewall rules only
allow UPD traffic to/from port 53 on these servers). On three
occasions now (about a week or two apart), I've found that my box will
no longer resolve names. Network connectivity is otherwise
unaffected, and all my configuration seems to be unchanged (boxes on
my internal network are still able to do name lookups to my ISP's name
servers). When this happens, I have only benn able to fix the problem
by rebooting.

Now, the interesting (to me) thing is, when this happens and I try to
resolve a name, I see the following sorts of entries in my firewall
log:

Apr 3 20:40:07 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1529 out via tun0
Apr 3 20:40:12 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1529 out via tun0
Apr 3 20:40:22 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1530 out via tun0
Apr 3 20:51:58 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1531 out via tun0

So when I type "nslookup somehost" my box attempts to connect to some
other machine at numerically increasing port numbers. The three times
this has happened, the scan has started at different numbers. The
target machine is not one of my name servers; once it was on my local
subnet, and twice it was on a "nearby" subnet (same ISP as me but the
last two octets of the address differed).

Does anybody have any ideas about what is going on, or other things I
should look for when this happens to try to trace the problem?

Thanks,

--- David

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: IpFilter / IpFireWall
    ... except for ones which are related in connections that were established as ... some badly configured servers test for ident (port ... See the security section in the FreeBSD handbook, ... compiling your kernel, and the ipfw manpage, for more details. ...
    (FreeBSD-Security)
  • Re: pf buggy on 6.1-STABLE?
    ... After upgrading a handful of web servers from FreeBSD 4.11 with ipfw ... A test page that makes 10,000 rapid SQL connections which connected 100% ... I recompiled the kernel with pf disabled and ipfw enabled, ...
    (freebsd-stable)
  • pf buggy on 6.1-STABLE?
    ... After upgrading a handful of web servers from FreeBSD 4.11 with ipfw ... A test page that makes 10,000 rapid SQL connections which connected 100% ... Disabling pf with pfctl -d allows 100% of all connections to work, ... I recompiled the kernel with pf disabled and ipfw enabled, ...
    (freebsd-stable)
  • Outbound TCP issue, potentially related to FreeBSD-SA-05:08.kmem [REVISED]
    ... separate FreeBSD machine. ... Outbound TCP connections are randomly failing to connect. ... It only impacts outgoing connections from our web servers - no ... finding that the failures were not port-specific, ...
    (freebsd-net)
  • Re: How to stop two servers in different sites trying to replicate with each other
    ... communicate directly with Site C and vice versa. ... ADSS the DC in Site B keeps setting up one of its replication partners to ... ISTG for intersites connections using BH) ... the ISTG won't use the BH servers between Site C and SiteB to ...
    (microsoft.public.win2000.active_directory)