I think it's already covered in the Firewall FAQ, but I agree that Greg's coverage of sockets would be helpful. Perhaps a diff to the firewall FAQ?
Jack On Mon, 2002-08-19 at 11:45, guitarlynn wrote: > This would make an excellent FAQ. > If one of you would like to write it up and finish it, I would > be more than willing to format it and submit it. > > > On Monday 19 August 2002 01:34, Jeff Newmiller wrote: > > On Sun, 18 Aug 2002, Greg Morgan wrote: > > > Manfred Schuler wrote: > > > > Hi all, > > > > > > > > in the last few weeks I discovered some unknown traffic on my > > > > firewall. I inserted a rule to log all traffic on the input and > > > > output chains and found that the incoming packet is neither > > > > rejected nor denied, but answered by the firewall. I am using a > > > > stock eigerstein2beta firewall with no port redirection and no > > > > additional ports opened. > > > > > > > > What I don't understand is why the packets are not denied and who > > > > is responding to this packets. > > > > > > <snip> > > > > > > Manfred, > > > > > > I've never seen these ports before, but hey with 65K available port > > > numbers, there are all kinds of services available. ;-) I was > > > curious so I spent some time looking into your question. I may or > > > may not have answered the question for you, but I guess it did give > > > me a chance to get up on the soap box. >:-> (evil grin) > > > > Careful... it looks unsteady up there... don't use a weak > > foundation... > > > > > A port is also called a service. > > > > Not correctly. A service is the program that responds when the port > > is accessed. > > > > > The services are defined in /etc/services. > > > > This file defines your mapping of services to ports. The fact that > > we usually stick with the one provided is beside the point, and we > > (and certainly the untrusted masses "out there") may choose to modify > > it at any time, so all our interpolations from "ports" in the > > firewall log is just overly-educated guesswork. :) > > > > > A protocol, > > > > which you failed to define in context... tcp and udp are the most > > common protocols in the Internet Protocol sense of the word, and if > > you are only interested in vanilla internet activity it is easy to > > forget that others exist that don't even include the concept of > > "ports". Many people also regard "http" and "ftp" and "CIFS" as > > protocols, but that is a confusingly different usage of the term than > > the one you are referring to. The only way to be sure which > > "protocols" help define a socket is to refer to the software > > documentation for your networking stack, because sockets are not > > limited even to the Internet Protocol... they can be used with > > Appletalk, IPX, or even "internal" communications methods that are > > not network related. > > > > > plus, a port number, and an ip address > > > equals a socket that an application uses to talk to another > > > application. > > > > Via tcp or udp. Other protocols may omit the port and still have > > sockets. In fact, the "ports" defined by udp may be assigned to > > completely different services than the "ports" defined by tcp, though > > in the typical case for a given "port number" only the tcp or udp > > version is actually used and the other is reserved to avoid > > confusion. > > > > > All this information is supplied in case you didn't know > > > this. > > > > The "socket" is a software construct that is not really necessary to > > understand in order to read a firewall log. Nice background if you > > know it, but not germane to any of the points you make after this, > > regrettably confusing if described correctly, and unfortunately wrong > > if presented too simplistically. > > > > > I'd say that you didn't realize that you are running some sort of > > > peer to peer file sharing service, or you are running one and > > > didn't know the mechanics of how it works. Perhaps you are > > > running Kazaa? > > > > I think you are on target from this point forward. > > > > [Very nice subsequent analysis based on ip addresses and ports > > omitted.] > > > > --------------------------------------------------------------------- > >------ Jeff Newmiller The ..... ..... > > Go Live... DCN:<[EMAIL PROTECTED]> Basics: ##.#. > > ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research > > Engineer (Solar/Batteries O.O#. #.O#. with > > /Software/Embedded Controllers) .OO#. .OO#. > > rocks...2k > > --------------------------------------------------------------------- > >------ > > > > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by: OSDN - Tired of that same old > > cell phone? Get a new here for FREE! > > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 > > --------------------------------------------------------------------- > >--- leaf-user mailing list: [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > -- > > ~Lynn Avants > aka Guitarlynn > > guitarlynn at users.sourceforge.net > http://leaf.sourceforge.net > > If linux isn't the answer, you've probably got the wrong question! > > > ------------------------------------------------------- > This sf.net email is sponsored by: OSDN - Tired of that same old > cell phone? Get a new here for FREE! > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > -- Jack Coates Monkeynoodle: A Scientific Venture... ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
