Manfred Schuler wrote: > Hi all, > > in the last few weeks I discovered some unknown traffic on my firewall. > I inserted a rule to log all traffic on the input and output chains and found that >the > incoming packet is neither rejected nor denied, but answered by the firewall. > I am using a stock eigerstein2beta firewall with no port redirection and no >additional > ports opened. > > What I don't understand is why the packets are not denied and who is responding to >this > packets. <snip>
Manfred, I've never seen these ports before, but hey with 65K available port numbers, there are all kinds of services available. ;-) I was curious so I spent some time looking into your question. I may or may not have answered the question for you, but I guess it did give me a chance to get up on the soap box. >:-> (evil grin) A port is also called a service. The services are defined in /etc/services. A protocol, plus, a port number, and an ip address equals a socket that an application uses to talk to another application. All this information is supplied in case you didn't know this. I'd say that you didn't realize that you are running some sort of peer to peer file sharing service, or you are running one and didn't know the mechanics of how it works. Perhaps you are running Kazaa? > Aug 18 13:24:08 tunix kernel: Packet log: input - ppp0 PROTO=6 213.168.220.62:2605 >80.134.34.59:1214 L=48 S=0x00 I=29010 F=0x4000 T=114 SYN (#1) This is the first line you supplied from your log. 80.134.34.59 appears to be your current ip address supplied by your ISP. 1214 is the port number used by the application i.e. 80.134.34.59:1214. Notice too that this entry is from the input chain. google.com coughed up this with port showing Kazaa. http://www.ec11.dial.pipex.com/port-num1.shtml#1200 1214 Kazaa Morpheus or KaZaA peer to peer music/file sharing > Aug 18 13:24:08 tunix kernel: Packet log: output - ppp0 PROTO=6 80.134.34.59:1214 >213.168.220.62:2605 L=40 S=0x00 I=14602 F=0x0000 T=255 (#1) This is the second line you supplied from your log. It is an output chain entry. Your firewall is responding back to ip address 213.168.220.62 and port 2605. The firewall is doing its job as NAT--network address translation. It translates the internal network address of your client PC to the firewall's IP address. There are a number of services that use ports 2600 through 2606. The name networksciences.net came up on one of the services list again supplied by google. If you look at the information I copied from their web site below, networksciences.net appears to supply tools to simplify the task a building a client sever application. I may be speculating wildly here, but perhaps Morpheus uses this tool in their application? seanecovel at attbi dot com supplied this sometime ago in the thread "Re: [leaf-user] Blocking protocols at certain times" http://documents.iss.net/whitepapers/X-Force_P2P.pdf I found it an interesting read. The angle of the document is how as a network admin do I reduce the risk of all these file and instant messaging systems? The issue in a business is one of trust. Do you really trust that these applications won't become a trojan, etc. The question for you as an individual is, if you are running Morpheus, do you want it serving data all the time? peer to peer applications still have a server component to them. If someone finds an exploitable hole in morpheus they can gain access to your client. This is why web servers are always being patched. Known holes must be patched or the web service will be "owned" by someone else. Please just be aware of the issues. You could become overly paranoid and not use any application. I think one of the most alarming concepts is how companies like Microsoft feel it is their right or duty to know about you. I not sure I'd trust aol any more on this one. MS Windows Media Player is supposed to send data about your media playing habits to a web site. How are you going to block that, if they are using port 80 that all web servers use? The firewall does not always block all ports. Some ports are used for other services and should be allowed out. I bring this up because the 260x port range appear to have some other useful ports. Here's the batch file I run on Windows ME every once in awhile to clear the MS media database, which includes the number of times you have played a song. The location is in a slightly differenct place on MS Windows 2000 and MS Windows XP. @echo off rem http://www.w2knews.com/index.cfm?id=352 Rem kill wmp database cd "C:\WINDOWS\All Users\Application Data\Microsoft\Media Index" attrib -r *.* del WMPLIBrary*.* I hope this helps, Greg P.S. here's the other port info and stuff on Network Sciences. http://www.mit.edu/afs/athena/system/rhlinux/config/9.1.10/etc/services # Ports numbered 2600 through 2606 are used by the zebra package without # being registered. The primary names are the registered names, and the # unregistered names used by zebra are listed as aliases. hpstgmgr 2600/tcp zebrasrv # HPSTGMGR hpstgmgr 2600/udp # HPSTGMGR discp-client 2601/tcp zebra # discp client discp-client 2601/udp # discp client discp-server 2602/tcp ripd # discp server discp-server 2602/udp # discp server servicemeter 2603/tcp ripngd # Service Meter servicemeter 2603/udp # Service Meter nsc-ccs 2604/tcp ospfd # NSC CCS nsc-ccs 2604/udp # NSC CCS nsc-posa 2605/tcp bgpd # NSC POSA nsc-posa 2605/udp # NSC POSA netmon 2606/tcp ospf6d # Dell Netmon netmon 2606/udp # Dell Netmon http://www.ec11.dial.pipex.com/port-num2.shtml#2600 nsc = Networksciences.net on port 2605? http://networksciences.net/Whats_New__/whats_new__.html A multi-platform subsystem that: conforms to all of the TCP/IP connectivity specifications and expertly performs error recovery. relieves applications programmers of TCP/IP minutia and connectivity requirements. is designed with total unattended operations as an objective. A client / server application that: uses the NSC Open Client / Server to concentrate, switch and/or reformat messages between originating clients and target servers. connects to multiple clients that use unlike message formats. ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html