Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: phranque
We run our own nameservers, and most of the drops are on port 53 UDP. These connection attempts come in waves of up to 50 from the same address over a short period of time.
I'm wondering if I should change the order of rules... e.g. by moving up this one:
pass in quick proto udp from any to <thishost> port = 53 keep state
Current sequence of rules on the public facing interface is as follows:
1. Allow in specific connections from known hosts
2. Deny in everything that is known to be invalid or bad
3. Allow in what has not been blocked so far and tries to access a valid, existing service
4. Deny in anything else
5. Outbound rules
Blocked example (section #2):
xyz0 @0:76 b 203.162.4.nnn,61492 -> aaa.bbb.ccc.ddd,53 PR udp len 20 63 IN
I'm wondering if allowing access to the nameserver (only for domains we are authoritative for) will merely shift the problem down to the next rule section or if it would bring down the number of failed attempts.
Or, I can just stop logging - since I already know these are bad ranges :)
Any experiences out there?
It's not an answer as such, but I would simply not log at all if you, as you say, already "know these are bad ranges".
I might just follow your advice, it would cut the log files down to 5% of their current size...
Maybe I'll log a few packets first just to find out what their purpose is supposed to be, but looking at the source countries I doubt it's anything I'd want to let in.