From owner-freebsd-security Mon Nov 26 9:39: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mrtwig.citlink.net (mrtwig.citlink.net [207.173.229.137]) by hub.freebsd.org (Postfix) with ESMTP id 17B0C37B430 for ; Mon, 26 Nov 2001 09:38:43 -0800 (PST) Received: from blacklamb.mykitchentable.net ([207.173.248.249]) by mrtwig.citlink.net (InterMail vK.4.03.04.00 201-232-130 license a3e2d54ac3b1df4217e834deb9d77e31) with ESMTP id <20011126174319.DPLM60244.mrtwig@blacklamb.mykitchentable.net>; Mon, 26 Nov 2001 11:43:19 -0600 Received: from tagalong (unknown [165.107.42.150]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 79542EE653; Mon, 26 Nov 2001 09:39:59 -0800 (PST) Message-ID: <005a01c176a1$2fe31cf0$962a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: "Ian Smith" Cc: References: Subject: Re: Port 1214 - Is It Used For A Specific Purpose? Date: Mon, 26 Nov 2001 09:38:40 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Ian Smith" To: "Drew Tomlinson" Cc: Sent: Monday, November 26, 2001 6:49 AM Subject: Re: Port 1214 - Is It Used For A Specific Purpose? > On Sun, 25 Nov 2001, Drew Tomlinson wrote: > > > I was looking over my firewall logs this morning and noticed that there > > are many attempts to connect to TCP port 1214 from different addresses. > > Good replies re the specific gadget, but you'll be seeing similar scans > for any number of mystery ports to every accessible address in your net. > > [..] > > > P.S. 192.168.10.2 is my outside interface to my firewall. I know it is > > a private address but it's OK as my ADSL modem/router gets a public > > address from my ISP via DHCP and performs NAT for the rest of my > > machines. > > > > > ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via ed1 > [..] > > > ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via ed1 > > I don't understand why a firewall, upstream on ed1 as you describe it, > would be passing TCP setup for this port on to you in the first place, > unless it's a service that's been specifically allowed? > > Perhaps I misunderstand the topology - is this your local ipfw logging? My network setup is like this: ISP | | IP is DHCP (RFC 1918 & draft-manning nets | inbound blocked here) | ADSL Modem/Router (provides DNS & NAT) |192.168.10.1 RFC 1918 & draft-manning nets | outbound blocked here) | |192.168.10.2 (ed1) | Firewall (FBSD/IPFW Box) | |192.168.1.2 (ed0) | Internal Network 192.168.1.0/24 The ADSL modem/router (3Com OCR 812) is set to forward all packets to the FBSD box. The modem/router has limited filtering capabilities unless I can figure out how to write what the manual terms as "generic packet filters" where one actually calculates the offset and examines then next "n" bytes (bits?). But irregardless of the type of filter, there is no logging as far as I can tell. I setup the FBSD box as a firewall for finer control and so that I could see what's happening via log files. In other words, the modem/router is mostly a modem. Because I have been unsuccesful in setting it up as a bridge (which is what I think I really want), I left NAT running on the router as there's no reason to NAT twice. Ultimately, I would like the modem/router to be a modem only and pass *everything* (isn't this what a bridge does?) to ed1 on my FBSD box so I may filter it there. When I originally signed up for DSL, the modem my telco offered would only work with Windows as there was no "dial-up" software for PPPoA. Thus I went for the router as it does the "dial-up" internally. I've fiddled with my setup several times and this is the best I could come up with. However I'm always open to suggestions. Thanks, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message