On Sun, 18 Aug 2002, Greg Morgan wrote:
> Manfred Schuler wrote:
> > Hi all,
> >
> > in the last few weeks I discovered some unknown traffic on my firewall.
> > I inserted a rule to log all traffic on the input and output chains and found that
>the
> > incoming packet is neither rejected nor denied, but answered by the firewall.
> > I am using a stock eigerstein2beta firewall with no port redirection and no
>additional
> > ports opened.
> >
> > What I don't understand is why the packets are not denied and who is responding to
>this
> > packets.
> <snip>
>
> Manfred,
>
> I've never seen these ports before, but hey with 65K available port
> numbers, there are all kinds of services available. ;-) I was curious so
> I spent some time looking into your question. I may or may not have
> answered the question for you, but I guess it did give me a chance to
> get up on the soap box. >:-> (evil grin)
Careful... it looks unsteady up there... don't use a weak foundation...
> A port is also called a service.
Not correctly. A service is the program that responds when the port is
accessed.
> The services are defined in /etc/services.
This file defines your mapping of services to ports. The fact that we
usually stick with the one provided is beside the point, and we (and
certainly the untrusted masses "out there") may choose to modify it at any
time, so all our interpolations from "ports" in the firewall log is just
overly-educated guesswork. :)
> A protocol,
which you failed to define in context... tcp and udp are the most common
protocols in the Internet Protocol sense of the word, and if you are only
interested in vanilla internet activity it is easy to forget that others
exist that don't even include the concept of "ports". Many people also
regard "http" and "ftp" and "CIFS" as protocols, but that is a confusingly
different usage of the term than the one you are referring to. The only
way to be sure which "protocols" help define a socket is to refer to the
software documentation for your networking stack, because sockets are not
limited even to the Internet Protocol... they can be used with Appletalk,
IPX, or even "internal" communications methods that are not network
related.
> plus, a port number, and an ip address
> equals a socket that an application uses to talk to another
> application.
Via tcp or udp. Other protocols may omit the port and still have sockets.
In fact, the "ports" defined by udp may be assigned to completely
different services than the "ports" defined by tcp, though in the typical
case for a given "port number" only the tcp or udp version is actually
used and the other is reserved to avoid confusion.
> All this information is supplied in case you didn't know
> this.
The "socket" is a software construct that is not really necessary to
understand in order to read a firewall log. Nice background if you know
it, but not germane to any of the points you make after this, regrettably
confusing if described correctly, and unfortunately wrong if presented too
simplistically.
> I'd say that you didn't realize that you are running some sort of peer
> to peer file sharing service, or you are running one and didn't know the
> mechanics of how it works. Perhaps you are running Kazaa?
I think you are on target from this point forward.
[Very nice subsequent analysis based on ip addresses and ports omitted.]
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
