From owner-freebsd-net@freebsd.org  Tue Sep 15 07:10:20 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 036FFA04CB5
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue, 15 Sep 2015 07:10:20 +0000 (UTC)
 (envelope-from ohartman@zedat.fu-berlin.de)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de
 [130.133.4.66])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B723C18E1
 for <freebsd-net@freebsd.org>; Tue, 15 Sep 2015 07:10:19 +0000 (UTC)
 (envelope-from ohartman@zedat.fu-berlin.de)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69])
 by outpost.zedat.fu-berlin.de (Exim 4.85)
 for freebsd-net@freebsd.org with esmtp
 (envelope-from <ohartman@zedat.fu-berlin.de>)
 id <1ZbkKY-000sKp-DP>; Tue, 15 Sep 2015 09:07:06 +0200
Received: from p578a69f9.dip0.t-ipconnect.de ([87.138.105.249]
 helo=freyja.zeit4.iv.bundesimmobilien.de)
 by inpost2.zedat.fu-berlin.de (Exim 4.85)
 for freebsd-net@freebsd.org with esmtpsa
 (envelope-from <ohartman@zedat.fu-berlin.de>)
 id <1ZbkKX-000d0A-Ur>; Tue, 15 Sep 2015 09:07:06 +0200
Date: Tue, 15 Sep 2015 09:06:58 +0200
From: "O. Hartmann" <ohartman@zedat.fu-berlin.de>
To: freebsd-net@freebsd.org
Subject: HELP! Mysterious socket 843/tcp listening on CURRENT system
Message-ID: <20150915090658.1e0b9074@freyja.zeit4.iv.bundesimmobilien.de>
Organization: FU Berlin
X-Mailer: Claws Mail 3.12.0 (GTK+ 2.24.28; amd64-portbld-freebsd11.0)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Originating-IP: 87.138.105.249
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 07:10:20 -0000

Hopefully, I'm right on this list. if not, please forward.

Running CURRENT as of  FreeBSD 11.0-CURRENT #3 r287780: Mon Sep 14 13:34:16
CEST 2015 amd64, I check via nmap for open sockets since I had trouble
protecting a server with IPFW and NAT.

I see a service (nmap)

Host is up (0.041s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE
843/tcp  open  unknown

and via sockstat -l -p 843, I get this:
?        ?          ?     ?  tcp4   *:843                *:*

I double checked all services on the server and i can not figure out what
daemon or service is using this port. The port is exposed throught NAT (I use
in-kernel NAT on that system).
This service is accessible via telnet host-ip 843:

Trying 85.179.165.184...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.


Well, I feel pants-down right now since it seems very hard to find out what
service is keeping this socket open for communications to the outside world.

Anyone any suggestions?

Thanks in advance,
Oliver