From owner-freebsd-security  Fri May 25 12:20:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP id BC84C37B423
	for <freebsd-security@FreeBSD.ORG>; Fri, 25 May 2001 12:20:14 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.3/8.11.2) id f4PJK6L42034;
	Fri, 25 May 2001 12:20:06 -0700 (PDT)
	(envelope-from dillon)
Date: Fri, 25 May 2001 12:20:06 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200105251920.f4PJK6L42034@earth.backplane.com>
To: "tjk@tksoft.com" <tjk@tksoft.com>,
	memphis_ms@gmx.net (Raoul Schroeder),
	David Taylor <davidt@yadt.co.uk>
Cc: freebsd-security@FreeBSD.ORG (FreeBSD Security)
Subject: Re: 'nother IPFW question
References: <3B0EA2AE.5B00EB2@gmx.net> <200105251828.f4PIS1Y41320@earth.backplane.com> <20010525194056.A19706@gattaca.yadt.co.uk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

    Whup!  Not pop.  Auth.  It's probably sendmail.  In anycase, not anything
    that generally needs to be worried about.  

    I usually do not run identd, but I usually do allow the service
    through the firewall so the server not running it can respond with a
    TCP reset.  Otherwise remote sendmails using auth will stall trying
    to send email to you for ~30 seconds.  Alternatively the firewall can
    be programmed to return an ICMP error itself, but I try to avoid
    having the firewall do actual work to make it more resistent to DOS
    attacks.

						-Matt


:> :only learning about securing my box, and it is hard to find all the info
:> :I need.
:> :
:> :Thank you so much,
:> :
:> :Raoul
:>=20
:>      Sounds like one of your users simply ran a pop based mail program.
:>=20
:
:Wrong port, I think :)
:
:POP is 110.
:
:113 is auth.
:
:Sounds like someone on a remote server connected to some port on your box,
:which tried to perform an ident lookup...
:
:As for what is 'sending on port 1119', ports which are used on the local end
:of outgoing connections are essentially random, and are allocated by the
:kernel when you try to create an outgoing connection.
:
:--=20
:David Taylor
:davidt@yadt.co.uk

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message