Re: Port 1214 - Is It Used For A Specific Purpose?

From: Drew Tomlinson (drew@mykitchentable.net)
Date: 11/26/01 

From: "Drew Tomlinson" <drew@mykitchentable.net>
To: "Ian Smith" <smithi@nimnet.asn.au>
Date: Mon, 26 Nov 2001 09:38:40 -0800

----- Original Message -----
From: "Ian Smith" <smithi@nimnet.asn.au>
To: "Drew Tomlinson" <drew@mykitchentable.net>
Cc: <freebsd-security@FreeBSD.ORG>
Sent: Monday, November 26, 2001 6:49 AM
Subject: Re: Port 1214 - Is It Used For A Specific Purpose?

> On Sun, 25 Nov 2001, Drew Tomlinson wrote:
>
> > I was looking over my firewall logs this morning and noticed that
there
> > are many attempts to connect to TCP port 1214 from different
addresses.
>
> Good replies re the specific gadget, but you'll be seeing similar
scans
> for any number of mystery ports to every accessible address in your
net.
>
> [..]
>
> > P.S. 192.168.10.2 is my outside interface to my firewall. I know
it is
> > a private address but it's OK as my ADSL modem/router gets a public
> > address from my ISP via DHCP and performs NAT for the rest of my
> > machines.
> >
> > > ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via
ed1
> [..]
> > > ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via
ed1
>
> I don't understand why a firewall, upstream on ed1 as you describe it,
> would be passing TCP setup for this port on to you in the first place,
> unless it's a service that's been specifically allowed?
>
> Perhaps I misunderstand the topology - is this your local ipfw
logging?

My network setup is like this:

       ISP
        |
        | IP is DHCP (RFC 1918 & draft-manning nets
        | inbound blocked here)
        |
 ADSL Modem/Router (provides DNS & NAT)
        |192.168.10.1 RFC 1918 & draft-manning nets
        | outbound blocked here)
        |
        |192.168.10.2 (ed1)
        |
     Firewall (FBSD/IPFW Box)
        |
        |192.168.1.2 (ed0)
        |
Internal Network 192.168.1.0/24

The ADSL modem/router (3Com OCR 812) is set to forward all packets to
the FBSD box. The modem/router has limited filtering capabilities
unless I can figure out how to write what the manual terms as "generic
packet filters" where one actually calculates the offset and examines
then next "n" bytes (bits?). But irregardless of the type of filter,
there is no logging as far as I can tell. I setup the FBSD box as a
firewall for finer control and so that I could see what's happening via
log files. In other words, the modem/router is mostly a modem. Because
I have been unsuccesful in setting it up as a bridge (which is what I
think I really want), I left NAT running on the router as there's no
reason to NAT twice.

Ultimately, I would like the modem/router to be a modem only and pass
*everything* (isn't this what a bridge does?) to ed1 on my FBSD box so I
may filter it there. When I originally signed up for DSL, the modem my
telco offered would only work with Windows as there was no "dial-up"
software for PPPoA. Thus I went for the router as it does the "dial-up"
internally.

I've fiddled with my setup several times and this is the best I could
come up with. However I'm always open to suggestions.

Thanks,

Drew

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • RE: Possible DoS Attack?
    ... > was compromised they'd have simply turned off the filter, ... system accepts to turn the firewall off? ... wrote regarding RE: Possible DoS Attack?: ... What your firewall dropped was the result of a port ...
    (Incidents)
  • Re: suggestions on router w/firewall
    ... a simple packet filtering firewall should process HTTP ... > is received on port 21 by the same rules that would be used for FTP. ... A simple packet filter type of firewall cannot do that, ...
    (comp.security.firewalls)
  • Re: DLINK DI 707P firewall-question
    ... > I am not quite sure if I am using firewall or filter settings, ... you set up a firewall rule. ... If two computers "talking" to each other they connect from one port ... of host A to another port of host B. ...
    (comp.security.firewalls)
  • Re: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
    ... You're talking about the Internet Connection Firewall? ... Companies like Cox, on the other hand, go and filter port 135, and even outgoing ... Cox, instead, protects the ignorant people and keeps them ...
    (Full-Disclosure)
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)