From owner-freebsd-security Mon Nov 26 9:42:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 71C5C37B416 for ; Mon, 26 Nov 2001 09:42:21 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fAQHgFf22245; Mon, 26 Nov 2001 11:42:15 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id LAA11967; Mon, 26 Nov 2001 11:42:17 -0600 (CST) Message-ID: <3C027EE3.42197913@centtech.com> Date: Mon, 26 Nov 2001 11:41:55 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Drew Tomlinson Cc: Ian Smith , freebsd-security@freebsd.org Subject: Re: Port 1214 - Is It Used For A Specific Purpose? References: <005a01c176a1$2fe31cf0$962a6ba5@lc.ca.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The only time I have seen mass 1214 ports probes is when running mp3 p2p clients, like morpheous or kazaa. Eric (Sorry if someone mentioned this already, I missed a chunk of mail) Drew Tomlinson wrote: > > ----- Original Message ----- > From: "Ian Smith" > To: "Drew Tomlinson" > Cc: > Sent: Monday, November 26, 2001 6:49 AM > Subject: Re: Port 1214 - Is It Used For A Specific Purpose? > > > On Sun, 25 Nov 2001, Drew Tomlinson wrote: > > > > > I was looking over my firewall logs this morning and noticed that > there > > > are many attempts to connect to TCP port 1214 from different > addresses. > > > > Good replies re the specific gadget, but you'll be seeing similar > scans > > for any number of mystery ports to every accessible address in your > net. > > > > [..] > > > > > P.S. 192.168.10.2 is my outside interface to my firewall. I know > it is > > > a private address but it's OK as my ADSL modem/router gets a public > > > address from my ISP via DHCP and performs NAT for the rest of my > > > machines. > > > > > > > ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via > ed1 > > [..] > > > > ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via > ed1 > > > > I don't understand why a firewall, upstream on ed1 as you describe it, > > would be passing TCP setup for this port on to you in the first place, > > unless it's a service that's been specifically allowed? > > > > Perhaps I misunderstand the topology - is this your local ipfw > logging? > > My network setup is like this: > > ISP > | > | IP is DHCP (RFC 1918 & draft-manning nets > | inbound blocked here) > | > ADSL Modem/Router (provides DNS & NAT) > |192.168.10.1 RFC 1918 & draft-manning nets > | outbound blocked here) > | > |192.168.10.2 (ed1) > | > Firewall (FBSD/IPFW Box) > | > |192.168.1.2 (ed0) > | > Internal Network 192.168.1.0/24 > > The ADSL modem/router (3Com OCR 812) is set to forward all packets to > the FBSD box. The modem/router has limited filtering capabilities > unless I can figure out how to write what the manual terms as "generic > packet filters" where one actually calculates the offset and examines > then next "n" bytes (bits?). But irregardless of the type of filter, > there is no logging as far as I can tell. I setup the FBSD box as a > firewall for finer control and so that I could see what's happening via > log files. In other words, the modem/router is mostly a modem. Because > I have been unsuccesful in setting it up as a bridge (which is what I > think I really want), I left NAT running on the router as there's no > reason to NAT twice. > > Ultimately, I would like the modem/router to be a modem only and pass > *everything* (isn't this what a bridge does?) to ed1 on my FBSD box so I > may filter it there. When I originally signed up for DSL, the modem my > telco offered would only work with Windows as there was no "dial-up" > software for PPPoA. Thus I went for the router as it does the "dial-up" > internally. > > I've fiddled with my setup several times and this is the best I could > come up with. However I'm always open to suggestions. > > Thanks, > > Drew > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology An unbreakable toy is useful for breaking other toys. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message