High Ports >=1024 <=65535 are used for FTP Transfer, and only opend if realted to a previous session. For example, if you initiate a ftp session to some FTP Server out there, you would talk to destination Port 21. Any Paket from the FTP Server are - until data transfer - from Port 21 with destination port >=1024. Passive FTP Client then requests IP Address and Port to be used for data transfer which is in the High Ports area. The Client then starts the transfer with source port >= 1024 and destination port >= 1024. That would be normal use. If you define poor firewall rules, an attacker might be able to use these ports even if no related communication has taken place before. -Knut Erik -----Original Message----- From: Bruce Marshall [mailto:bmarsh@bmarsh.com] Sent: Friday, August 01, 2003 4:21 AM To: SLE Subject: Re: [SLE] Firewall interpretation request On Thursday 31 July 2003 22:08 pm, John wrote:
Hiya gang,
I happened to notice last night that my RD light on my modem was goin' ape-crazy, and my TD was only once in a while (maybe every 3 or 4 seconds) blinking, so I knew not much was going 'out'. I couldn't for the life of me remember where to look at logs for the firewall, until just now. This is a sample of what I found:
Jul 29 19:44:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=204.1.226.229 DST=(correct local address) LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=32768 PROTO=TCP SPT=65143 DPT=1054 WINDOW=8192 RES=0x00 SYN URGP=0
Okay, I checked and the SRC was *not* my ISP's remote address, the DST was correct though as *my* assigned address at the time (dial-up modem). I counted 'one second' of these, and had 65 instances within one second. The *only* thing changing at each instance during the one second, was the DPT , which seemed to start at 1024 and go up to 1054,
then start at 1024 all over again. So, what I'd like to ask of anyone who knows is... Starting with 'LEN' and going to 'URGP', what do each of those things mean (I think I understand the 'PROTO', heh)? I tried looking some of them up, but wasn't getting anything clear enough for an 'idiot' to understand. Why would only the 'DPT' change, and why only that range? Is/was this a DDoS? It sure didn't bother me any, since I could start a download or surf the web without any noticeable slowdown. Does
this mean that SuSEFirewall2 was doing its job well? (I'm leaning strongly toward 'it did a fantastic job')
Thanks if anyone finds these questions worth any answers. The curiosity is killin' me. lol
John --
linux1:/var/log # whois 204.1.226.229 OrgName: Verio, Inc. OrgID: VRIO Address: 8005 South Chester Street Address: Suite 200 City: Englewood StateProv: CO PostalCode: 80112 Country: US ReferralServer: rwhois://rwhois.verio.net:4321/ NetRange: 204.0.0.0 - 204.3.255.255 CIDR: 204.0.0.0/14 NetName: VRIO-204-000 NetHandle: NET-204-0-0-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation NameServer: NS0.VERIO.NET NameServer: NS1.VERIO.NET NameServer: NS2.VERIO.NET NameServer: NS3.VERIO.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Comment: Comment: ******************************************** Comment: Reassignment information for this block is Comment: available at rwhois.verio.net port 4321 Comment: ******************************************** RegDate: 2000-07-26 Updated: 2003-07-10 TechHandle: VIA4-ORG-ARIN TechName: Verio, Inc. TechPhone: +1-303-645-1900 TechEmail: vipar@verio.net OrgAbuseHandle: VAC5-ARIN OrgAbuseName: Verio Abuse Contact OrgAbusePhone: +1-800-551-1630 OrgAbuseEmail: abuse@verio.net OrgNOCHandle: VSC-ARIN OrgNOCName: Verio Support Contact OrgNOCPhone: +1-800-551-1630 OrgNOCEmail: support@verio.net OrgTechHandle: VIA4-ORG-ARIN OrgTechName: Verio, Inc. OrgTechPhone: +1-303-645-1900 OrgTechEmail: vipar@verio.net -- +----------------------------------------------------------------------- -----+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 07/31/03 22:20 + +----------------------------------------------------------------------- -----+ "Why do we drive on Parkways, and park on Driveways?" -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com