April 14th, 2003, 01:14 AM
quick intrusion question...
I was setting up my iptables with shorewall and as I was adding rules I wondered something. If I open a port, and any programs that use said port are not running, then what happens to the packets that someone might send to try to exploit that port? If no programs are up for the computer to send the packets to, then are they dropped? Logged? Something else?
All comments would be appreciated as I am trying to learn as much as possible, and I'm starting at a pretty low level.
April 14th, 2003, 01:21 AM
When a program stops "listening" for ports on your machine then they tend to be either blocked or dropped. If you don't have a program which specifically listends for a port, like telnet or ftp, then I wouldn't worry too much.
April 14th, 2003, 01:33 AM
Yeah, that's kind of what I was thinking; it's just a lot different than the norton I cut my teeth on because when you set it up it's usually for each program, not just port by port. I also was wondering what exactly happens to the packets and any info anyone might have on the logs
April 14th, 2003, 03:19 AM
As NeuTron indicated when nothing is listening there is no socket. the port is closed but trafiic is logged or dropped depending on your FW rules. Shutting down the listening app does not change the rules. the FW is before the app and it will treat any packet the way you tell it to regardless of the apps state
hope that helps
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
April 14th, 2003, 09:14 PM
Depending on how your box (and your network) is configured, your machine may also return an ICMP SERVICE UNAVAILABLE packet, or confusingly, an ICMP TIMEOUT EXCEEDED packet.