On Tue, 4 Dec 2001, Matthew Cline wrote: > I have my firewall setup to stop and log attempts to connect to external X > servers, and this caught three attempts (all in the same second) to connect > to destination port 6000, from a source port of 25 (SMTP). I don't think > that my qmail server would attempt to make such a connection. Have I been > rooted? > > Thanks in advance. >
You mention your qmail server, is that the box that was "attempting to connect" to port 6000 on an outside host? If the box that is sending traffic from port 25 to port 6000 is a mail server, then you should verify whether these packets are SYNs or, more likely, SYN/ACK or PSH/ACK type packets. In other words, is this really the initiation of a connection, or is it just your mailserver replying to a connection initiated by an outside host (which randomly selected port 6000, so this would not happen often statistically, but it WILL happen) to port 25 on your box? That's my guess. Now, on the other hand, if your firewall config is specifically looking only for SYNs outbound, i.e. the initiation of new connections outbound for port 6000, then maybe you have a problem. My guess is that it's cool, and your logging/monitoring method either needs tweaking, or you just have to be aware of this possibility. You'd be in worse shape if it was a high-numbered port connecting to 6000 on an outside host. HTH, Wes -- Wes Bateman, GCIA Chief Security Officer ManISec, Inc. - "Managed Internet Security Services" http://www.manisec.com [EMAIL PROTECTED]