From owner-freebsd-net@freebsd.org Tue Sep 15 07:21:22 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19C68A023C6 for ; Tue, 15 Sep 2015 07:21:22 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DB88E1FA5 for ; Tue, 15 Sep 2015 07:21:21 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: by igbkq10 with SMTP id kq10so9422830igb.0 for ; Tue, 15 Sep 2015 00:21:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zvBlZd2cGa0hg+rQnedGbAMRlIqsxKn8zHzcuLlJyrg=; b=q90xwAwq7+i8SvHDmfWURScC9/kf7m/KplrC9Z0Tme4qlhYJUvGMRblc0pyyvqJmTr 8JQIdAfbAP0YPyPfsIcqbUEZ+dq/qMOMGNR+7Cf0ILfy5XPVPaqw1Dj310x0eZOxq8X2 N1oa+WAL3UxRKcSdGbO3EBKXIIZ6nO94rABdjiI5EtU7H1erdrY3lS+uHnBNzVja6WEV Ba6rqbexgxb7vthZIxEjLXAa1+t42zrmkl+UMujPbqLlpqBXLpnBEyBSbq2GLnjrefHZ kHIbuxixM2bg0VsnkFWswTiYqiLfzS/AXy6icDU/haXd7qdq+3otIcXWJ+F4wO+09XTp OpWA== MIME-Version: 1.0 X-Received: by 10.50.122.10 with SMTP id lo10mr3192360igb.76.1442301681347; Tue, 15 Sep 2015 00:21:21 -0700 (PDT) Received: by 10.107.200.66 with HTTP; Tue, 15 Sep 2015 00:21:21 -0700 (PDT) In-Reply-To: <20150915090658.1e0b9074@freyja.zeit4.iv.bundesimmobilien.de> References: <20150915090658.1e0b9074@freyja.zeit4.iv.bundesimmobilien.de> Date: Tue, 15 Sep 2015 10:21:21 +0300 Message-ID: Subject: Re: HELP! Mysterious socket 843/tcp listening on CURRENT system From: Kimmo Paasiala To: "O. Hartmann" Cc: FreeBSD Net Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2015 07:21:22 -0000 On Tue, Sep 15, 2015 at 10:06 AM, O. Hartmann wrote: > Hopefully, I'm right on this list. if not, please forward. > > Running CURRENT as of FreeBSD 11.0-CURRENT #3 r287780: Mon Sep 14 13:34:16 > CEST 2015 amd64, I check via nmap for open sockets since I had trouble > protecting a server with IPFW and NAT. > > I see a service (nmap) > > Host is up (0.041s latency). > Not shown: 998 filtered ports > PORT STATE SERVICE > 843/tcp open unknown > > and via sockstat -l -p 843, I get this: > ? ? ? ? tcp4 *:843 *:* > > I double checked all services on the server and i can not figure out what > daemon or service is using this port. The port is exposed throught NAT (I use > in-kernel NAT on that system). > This service is accessible via telnet host-ip 843: > > Trying 85.179.165.184... > Connected to xxx.xxx.xxx.xxx. > Escape character is '^]'. > > > Well, I feel pants-down right now since it seems very hard to find out what > service is keeping this socket open for communications to the outside world. > > Anyone any suggestions? > > Thanks in advance, > Oliver As delphij@ noted it's most likely something that uses rpcbind(3). Why are your filter rules allowing unknown ports to be open to the internet? Don't you have a default deny policy in place?