Date: Tue, 15 Sep 2015 10:21:21 +0300 From: Kimmo Paasiala <kpaasial@gmail.com> To: "O. Hartmann" <ohartman@zedat.fu-berlin.de> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: HELP! Mysterious socket 843/tcp listening on CURRENT system Message-ID: <CA%2B7WWSdW_JTL%2BKt_WcaLVDVLhtBnUGkXXNJezvTSkDy4rHLjPw@mail.gmail.com> In-Reply-To: <20150915090658.1e0b9074@freyja.zeit4.iv.bundesimmobilien.de> References: <20150915090658.1e0b9074@freyja.zeit4.iv.bundesimmobilien.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 15, 2015 at 10:06 AM, O. Hartmann <ohartman@zedat.fu-berlin.de> wrote: > Hopefully, I'm right on this list. if not, please forward. > > Running CURRENT as of FreeBSD 11.0-CURRENT #3 r287780: Mon Sep 14 13:34:16 > CEST 2015 amd64, I check via nmap for open sockets since I had trouble > protecting a server with IPFW and NAT. > > I see a service (nmap) > > Host is up (0.041s latency). > Not shown: 998 filtered ports > PORT STATE SERVICE > 843/tcp open unknown > > and via sockstat -l -p 843, I get this: > ? ? ? ? tcp4 *:843 *:* > > I double checked all services on the server and i can not figure out what > daemon or service is using this port. The port is exposed throught NAT (I use > in-kernel NAT on that system). > This service is accessible via telnet host-ip 843: > > Trying 85.179.165.184... > Connected to xxx.xxx.xxx.xxx. > Escape character is '^]'. > > > Well, I feel pants-down right now since it seems very hard to find out what > service is keeping this socket open for communications to the outside world. > > Anyone any suggestions? > > Thanks in advance, > Oliver As delphij@ noted it's most likely something that uses rpcbind(3). Why are your filter rules allowing unknown ports to be open to the internet? Don't you have a default deny policy in place?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B7WWSdW_JTL%2BKt_WcaLVDVLhtBnUGkXXNJezvTSkDy4rHLjPw>