FW port 113 keeps open
Dear susers
I am installing a new FW with SuSE 8.0. I don't how the
port TCP 113 keeps open...
I just want to open a few ports to the world:
FW_SERVICES_EXT_TCP="ssh smtp http https"
When I scan the TCP ports from the external iface I see
that port 113 is not rejected:
22/tcp open ssh
25/tcp open smtp
80/tcp open http
113/tcp closed auth
443/tcp open https
I have checked the iptables command used by the FW and
it seems ok:
montblanc:/home/pep # SuSEfirewall2 debug | grep 113
iptables -A input_ext -j REJECT -p tcp --dport 113
--syn --reject-with tcp-reset
iptables -A input_dmz -j REJECT -p tcp --dport 113
--syn --reject-with tcp-reset
iptables -A input_int -j REJECT -p tcp --dport 113
--syn --reject-with tcp-reset
It should be rejecting any connections to port 113...
So far is not a big risk because I do not run any
application in that port. How can I reject connections
to port 113? What is SuSE FW is allowing port 113???
Cheers!
Pep Serrano
Pep wrote:
I am installing a new FW with SuSE 8.0. I don't how the port TCP 113 keeps open...
I have checked the iptables command used by the FW and it seems ok: montblanc:/home/pep # SuSEfirewall2 debug | grep 113 iptables -A input_ext -j REJECT -p tcp --dport 113 --syn --reject-with tcp-reset iptables -A input_dmz -j REJECT -p tcp --dport 113 --syn --reject-with tcp-reset iptables -A input_int -j REJECT -p tcp --dport 113 --syn --reject-with tcp-reset It should be rejecting any connections to port 113...
So far is not a big risk because I do not run any application in that port. How can I reject connections to port 113? What is SuSE FW is allowing port 113???
Port 113 is the "identd", a daemon useful for finding out which user has opened a connection to your server. If you close this port with "DROP" your client will hang when sending mail or connecting to a ftp-site. The firewall rules you listed above should close the port On The Firewall machine itself. I would recommend that you leave the port open so that you will not have to endure the hang period. Peter
It does exactly what you said, it REJECTS the packet. Reject means that a "reject packet" is send back to the remote host. If you had a deny rule here, the firewall would just drop the packet (thats the difference between deny and reject). NMAP gets the reject packet and assumes that the port is there but closed (hence the "closed" state). 113 is usually set to REJECT instead of DENY because some services tend to take some time to realize that auth over 113 is disabled when they are waiting for the response. Reject tells em that auth is disabled. ciao Tom Pep wrote:
When I scan the TCP ports from the external iface I see that port 113 is not rejected:
22/tcp open ssh 25/tcp open smtp 80/tcp open http 113/tcp closed auth 443/tcp open https
-- this is a maillist account, so please send personal replies to cso[at]trium[dot]de
Hi Thomas. Thanks for your explanation. Now I undertand the complete scene... Anyway, what would be the practical difference if I open the port 113 in the firewall??? Nmap would keep reporting 113 is "closed" as long as I don't start any application listening on that port... Am I right? Nice we everybody! On Friday 13 September 2002 17:19, Thomas Seliger wrote:
It does exactly what you said, it REJECTS the packet. Reject means that a "reject packet" is send back to the remote host. If you had a deny rule here, the firewall would just drop the packet (thats the difference between deny and reject).
NMAP gets the reject packet and assumes that the port is there but closed (hence the "closed" state).
113 is usually set to REJECT instead of DENY because some services tend to take some time to realize that auth over 113 is disabled when they are waiting for the response. Reject tells em that auth is disabled.
participants (4)
-
Pep -
Pep Serrano
-
Peter Wiersig -
Thomas Seliger