Date: Mon, 26 Nov 2001 09:38:40 -0800 From: "Drew Tomlinson" <drew@mykitchentable.net> To: "Ian Smith" <smithi@nimnet.asn.au> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Port 1214 - Is It Used For A Specific Purpose? Message-ID: <005a01c176a1$2fe31cf0$962a6ba5@lc.ca.gov> References: <Pine.BSF.3.96.1011127012840.19727B-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "Ian Smith" <smithi@nimnet.asn.au>
To: "Drew Tomlinson" <drew@mykitchentable.net>
Cc: <freebsd-security@FreeBSD.ORG>
Sent: Monday, November 26, 2001 6:49 AM
Subject: Re: Port 1214 - Is It Used For A Specific Purpose?
> On Sun, 25 Nov 2001, Drew Tomlinson wrote:
>
> > I was looking over my firewall logs this morning and noticed that
there
> > are many attempts to connect to TCP port 1214 from different
addresses.
>
> Good replies re the specific gadget, but you'll be seeing similar
scans
> for any number of mystery ports to every accessible address in your
net.
>
> [..]
>
> > P.S. 192.168.10.2 is my outside interface to my firewall. I know
it is
> > a private address but it's OK as my ADSL modem/router gets a public
> > address from my ISP via DHCP and performs NAT for the rest of my
> > machines.
> >
> > > ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via
ed1
> [..]
> > > ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via
ed1
>
> I don't understand why a firewall, upstream on ed1 as you describe it,
> would be passing TCP setup for this port on to you in the first place,
> unless it's a service that's been specifically allowed?
>
> Perhaps I misunderstand the topology - is this your local ipfw
logging?
My network setup is like this:
ISP
|
| IP is DHCP (RFC 1918 & draft-manning nets
| inbound blocked here)
|
ADSL Modem/Router (provides DNS & NAT)
|192.168.10.1 RFC 1918 & draft-manning nets
| outbound blocked here)
|
|192.168.10.2 (ed1)
|
Firewall (FBSD/IPFW Box)
|
|192.168.1.2 (ed0)
|
Internal Network 192.168.1.0/24
The ADSL modem/router (3Com OCR 812) is set to forward all packets to
the FBSD box. The modem/router has limited filtering capabilities
unless I can figure out how to write what the manual terms as "generic
packet filters" where one actually calculates the offset and examines
then next "n" bytes (bits?). But irregardless of the type of filter,
there is no logging as far as I can tell. I setup the FBSD box as a
firewall for finer control and so that I could see what's happening via
log files. In other words, the modem/router is mostly a modem. Because
I have been unsuccesful in setting it up as a bridge (which is what I
think I really want), I left NAT running on the router as there's no
reason to NAT twice.
Ultimately, I would like the modem/router to be a modem only and pass
*everything* (isn't this what a bridge does?) to ed1 on my FBSD box so I
may filter it there. When I originally signed up for DSL, the modem my
telco offered would only work with Windows as there was no "dial-up"
software for PPPoA. Thus I went for the router as it does the "dial-up"
internally.
I've fiddled with my setup several times and this is the best I could
come up with. However I'm always open to suggestions.
Thanks,
Drew
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005a01c176a1$2fe31cf0$962a6ba5>