question about a connections that bypassed a firewall
Results 1 to 6 of 6

Thread: question about a connections that bypassed a firewall

  1. #1
    Banned
    Join Date
    Jul 2004
    Posts
    297

    question about a connection that bypassed a firewall

    I'm sure someone here can shed some light on this. I have a smll home network, behind a 2wire home portal (has its own firewall). Im port forwarding standard web ports and a couple odds and ends to a debian (sarge 3.1) box thats running as a virt server. ports 19 20 21 25 110 80 81 444 10000. I was spot checking the box for active connections using iptraffic and noticed a incoming connection on port 53300 from an external source. How was this connection bypassing the hardware firewall? rkhunter and chkrootkit revealed nothing, so I just added the ip to iptables as a drop. ifstat was showing a 4k incoming /12k outgoing connection. i was in a hurry and forgot to run ethereal to capture some of the traffic to see what its was, thats one I wont forget next time.
    Its just a project box so no real worries if its been compromised, but I dont want to reconnect the box to the network until Im a little more clear as to what was going on with the machine.
    If anyone can give me any advise as to anything specfic to check before I put the machine back online it would be greatly appreciated.

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    This is a really quick reply, so apologies if anything is incorrect or unclear. Look into the behavior of all your services...I believe some app's will create a new socket elsewhere (53000 for example) once a valid connection has been initiated. Like apache...httpd will spawn multiple threads, and each thread will answer requests. 80 is simply the service port that is being listened to...actual traffic back and forth takes place on other ports, I believe. These are allowed by the firewall because they aren't NEW connections, they are existing sockets that are simply adding new ports.

    That is general info, you'll have to check into specifics yourself. Sorry its not more complete, I'm running out the door as soon as I post this!
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Junior Member
    Join Date
    Feb 2006
    Posts
    12
    I had a look at http://www.iana.org/assignments/port-numbers and 53300 doesn't seem to be a well known port. Nor did google return anything, of signifigance. HTTP does not redirect to another port.

    First... are you sure port 53300 is not on their side, or a loopback, or a service you've moved to that port and forgotten... you appear to be running an FTPd so it could be one of the FTP data ports, usually a range over 1024.

  4. #4
    Banned
    Join Date
    Jul 2004
    Posts
    297
    This issue was solved 10 days ago by refreshing my external ip address. I never did figure out how that connection was inbound on that port but I think zencoder nailed it. Thanks for the input though.

  5. #5
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Don't know if this will help or not, however, a couple of my son's online games use that port for outbounders...I see it all the time on the log.

    cheers
    Connection refused, try again later.

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by zencoder
    I believe some app's will create a new socket elsewhere (53000 for example) once a valid connection has been initiated. Like apache...httpd will spawn multiple threads, and each thread will answer requests. 80 is simply the service port that is being listened to...actual traffic back and forth takes place on other ports, I believe.
    No, it doesn't.. Apache (and any other webserver) will listen AND respond from port 80.. No other ports will be used.. FTP and RPC on the other hand will define a random port to transfer the data..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •