Re: [Leaf-user] Dachstein firewall questions
1) All tested ports show up as Stealth, ie they don't respond when a connection attempt is made from outside... Except Port 5000 (UPnP) which shows up as closed. What is UPnP? Why does this port respond? Not a big deal, but it does show outsiders that my address has a machine behind it. One would assume UPnP stands for universal plug and play (I know that MS has vulnerabilities in windows XP and other versions that have certain patches applied). Possibly thats why it is being scanned. I'm not sure why it isn't stealthed - but as long as it is closed you should be fine (unless for some reason it is being forwarded to an internal machine that selectivly opens/closes the port depending on what is running). 2) My port 53 is getting whacked hard for 10-20 seconds once or twice a day from the same group of IP's. Anyone know what this might be? Trying to find a bind vulnerability? Should I bother tracking down the IP's? If you're getting hundreds of hits in a few seconds it is because there is some company out there manufacturing products that use port 53 for load balancing (stupid I know). This started being an issue last year actually. It is generally caused by popups and banners. It can fill your logs so you should silently deny this stuff. 3) I also notice occasional random inbound attempts from 192.168.x.x and 10.x.x.x. Shouldn't my ISP be preventing this sort of thing? If someone on your subnet is doing it and its not going thru a router then there is nothing they can do. It'll really become an issue if they install DHCP on their external interface (when I worked at an ISP lots of customers would install internet connection sharing incorrectly and start server 192.168 IPs). HTH S _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Dachstein firewall questions
Hi Christopher I tried the ShieldsUp Portscan. It shows my Firewall's TCP Port 5000 as closed too. It seems that this is a problem of the ShieldsUp Scan Engine/Homepage. I definitely DENY TCP Port 5000. --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Christopher Holmes Sent: Thursday, February 21, 2002 4:36 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] Dachstein firewall questions I'm running Dachstein haven't changed any of the ipchains rules. I just ran Shields Up (https://grc.com/x/ne.dll?bh0bkyd2) to test out the firewall. A few questions... 1) All tested ports show up as Stealth, ie they don't respond when a connection attempt is made from outside... Except Port 5000 (UPnP) which shows up as closed. What is UPnP? Why does this port respond? Not a big deal, but it does show outsiders that my address has a machine behind it. 2) My port 53 is getting whacked hard for 10-20 seconds once or twice a day from the same group of IP's. Anyone know what this might be? Trying to find a bind vulnerability? Should I bother tracking down the IP's? 3) I also notice occasional random inbound attempts from 192.168.x.x and 10.x.x.x. Shouldn't my ISP be preventing this sort of thing? Thanks, Chris ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein firewall questions
Christopher Holmes wrote: I'm running Dachstein haven't changed any of the ipchains rules. I just ran Shields Up (https://grc.com/x/ne.dll?bh0bkyd2) to test out the firewall. A few questions... snip 2) My port 53 is getting whacked hard for 10-20 seconds once or twice a day from the same group of IP's. Anyone know what this might be? Trying to find a bind vulnerability? Should I bother tracking down the IP's? This is probably from a group of servers that work together using tcp port 53 to apparently try to find out your location geographically. They do this to assign a web request to the closest server to you. This is some sort of proprietary (who would claim such a monster) method. If you want to know more about it look up port 53 scans on the list archive. There was extensive discussion and research several months ago on the list of IPs. Just put the whole list in SILENT_DENY=tcp_ip.number.of.flood_53 tcp_next.ip.no_53 svi network ipfilter reload if everything loads up ok - no error messages from typos then backup etc. 3) I also notice occasional random inbound attempts from 192.168.x.x and 10.x.x.x. Shouldn't my ISP be preventing this sort of thing? not necessarily. It may be coming from machines on your isps network. Thanks, Chris Victor McAllister ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user