From owner-freebsd-security  Fri May 25 11:56:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.yadt.co.uk (yadt.demon.co.uk [158.152.4.134])
	by hub.freebsd.org (Postfix) with SMTP id 71B0A37B423
	for <freebsd-security@freebsd.org>; Fri, 25 May 2001 11:56:23 -0700 (PDT)
	(envelope-from davidt@yadt.co.uk)
Received: (qmail 72029 invoked from network); 25 May 2001 18:56:20 -0000
Received: from gattaca.local.yadt.co.uk (HELO mail.gattaca.yadt.co.uk) (qmailr@10.0.0.2)
  by xfiles.yadt.co.uk with SMTP; 25 May 2001 18:56:20 -0000
Received: (qmail 23422 invoked by uid 1000); 25 May 2001 18:56:20 -0000
Date: Fri, 25 May 2001 19:40:56 +0100
From: David Taylor <davidt@yadt.co.uk>
To: Matt Dillon <dillon@earth.backplane.com>
Subject: Re: 'nother IPFW question
Message-ID: <20010525194056.A19706@gattaca.yadt.co.uk>
References: <3B0EA2AE.5B00EB2@gmx.net> <200105251828.f4PIS1Y41320@earth.backplane.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200105251828.f4PIS1Y41320@earth.backplane.com>; from dillon@earth.backplane.com on Fri, May 25, 2001 at 11:28:01 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--RnlQjJ0d97Da+TV1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, 25 May 2001, Matt Dillon wrote:
>=20
> :IPFW caught a TCP packet leaving my port 1119 going to another port 113
> :I am a little worried about this, since there is nothing running on my
> :machine on 1119 that I know of.
> :
> :Is there a good way of finding out what is sending on port 1119? I am
> :only learning about securing my box, and it is hard to find all the info
> :I need.
> :
> :Thank you so much,
> :
> :Raoul
>=20
>      Sounds like one of your users simply ran a pop based mail program.
>=20

Wrong port, I think :)

POP is 110.

113 is auth.

Sounds like someone on a remote server connected to some port on your box,
which tried to perform an ident lookup...

As for what is 'sending on port 1119', ports which are used on the local end
of outgoing connections are essentially random, and are allocated by the
kernel when you try to create an outgoing connection.

--=20
David Taylor
davidt@yadt.co.uk

--RnlQjJ0d97Da+TV1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7Dqc4fIqKXSsJ/xERAoEaAJ4iv6KoeIDJi3/1ELPREbz7sRml9wCgm/k7
JJyLliwHj/Y3vW8x3/IUWb0=
=bw86
-----END PGP SIGNATURE-----

--RnlQjJ0d97Da+TV1--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message