From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 15:04:08 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE116106568D for ; Tue, 25 Aug 2009 15:04:08 +0000 (UTC) (envelope-from prvs=481bfd290=pschmehl_lists@tx.rr.com) Received: from ip-relay-001.utdallas.edu (ip-relay-001.utdallas.edu [129.110.20.111]) by mx1.freebsd.org (Postfix) with ESMTP id AB3648FC33 for ; Tue, 25 Aug 2009 15:04:08 +0000 (UTC) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.44,272,1249275600"; d="scan'208";a="16792032" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-001.utdallas.edu with ESMTP; 25 Aug 2009 10:04:08 -0500 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 5A2394EF50; Tue, 25 Aug 2009 10:04:08 -0500 (CDT) Date: Tue, 25 Aug 2009 15:04:08 +0000 From: Paul Schmehl To: Colin Brace , freebsd-questions@freebsd.org Message-ID: In-Reply-To: <25134277.post@talk.nabble.com> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134277.post@talk.nabble.com> X-Mailer: Mulberry/4.0.6 (Linux/x86) X-Munged-Reply-To: Figure it out MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 15:04:08 -0000 --On Tuesday, August 25, 2009 08:30:17 -0500 Colin Brace wrote: > > > Bill, one more thing: > > > Bill Moran wrote: >> >> You can add an ipfw rule to prevent the script from calling home, which >> will effectively render it neutered until you can track down and actually >> _fix_ the problem. > > Mike Bristow above wrote: "The script is talking to 94.102.51.57 on port > 7000". OK, so I how do I know what port the script is using for outgoing > traffic on MY box? 7000 is the remote host port, right? > > FWIW, here are my core PF lines: > > pass out quick on $ext_if proto 41 > pass out quick on gif0 inet6 > pass in quick on gif0 inet6 proto icmp6 > block in log > > That is to say: nothing is allowed in unless explicitly allowed > Everything allowed out. > (plus some ipv6 stuff I was testing with a tunnel) > The problem with blocking outbound ports is that it breaks things in odd ways. For example, your mail server listens on port 25 (and possibly 465 as well) but it communicates with connecting clients on whatever ethereal port the client decided to use. If the port the client selects happens to be in a range that you are blocking, communication will be impossible and the client will report that your mail server is non-responsive. It's much easier to block outgoing ports for services you *don't* want to offer, but, if the service isn't running anyway, blocking the port is non-productive. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson