Subject: Re: net.inet.tcp.log_refused??
To: None <tech-net@netbsd.org>
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
List: tech-net
Date: 05/26/1999 18:44:22
thorpej@nas.nasa.gov (Jason Thorpe) writes:
> I see very little justification for this option, especially since, when
> it's used, it's a great way for an outsider to fill up your file system
> with useless log messages -- useless because the information in them can't
> even be trusted; forging the source address on the SYN is pretty easy.
While the source address/port can't be trusted, the destination
port/address can be. That does show interesting patterns. I use IP
filter to log all refused connections. Running an interpreted filter
just to get a log of outgoing reject packets its kind of a big hammer
for what should be a simple task.
Until you start logging outgoing rejects you don't know what you are
missing. ;-) There are lots of turkeys are out there trying regular
probes of all sorts of off-the-wall ports. If I had a penny for each
scan on tcp port 123435, I'd have quite a pile of pennies.
-wolfgang
--
Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
http://www.wsrcc.com/wolfgang/
DGPS signals via the Internet http://www.wsrcc.com/wolfgang/gps/dgps-ip.html