February 16th, 2006, 02:48 PM
question about a connection that bypassed a firewall
I'm sure someone here can shed some light on this. I have a smll home network, behind a 2wire home portal (has its own firewall). Im port forwarding standard web ports and a couple odds and ends to a debian (sarge 3.1) box thats running as a virt server. ports 19 20 21 25 110 80 81 444 10000. I was spot checking the box for active connections using iptraffic and noticed a incoming connection on port 53300 from an external source. How was this connection bypassing the hardware firewall? rkhunter and chkrootkit revealed nothing, so I just added the ip to iptables as a drop. ifstat was showing a 4k incoming /12k outgoing connection. i was in a hurry and forgot to run ethereal to capture some of the traffic to see what its was, thats one I wont forget next time.
Its just a project box so no real worries if its been compromised, but I dont want to reconnect the box to the network until Im a little more clear as to what was going on with the machine.
If anyone can give me any advise as to anything specfic to check before I put the machine back online it would be greatly appreciated.
February 16th, 2006, 03:34 PM
This is a really quick reply, so apologies if anything is incorrect or unclear. Look into the behavior of all your services...I believe some app's will create a new socket elsewhere (53000 for example) once a valid connection has been initiated. Like apache...httpd will spawn multiple threads, and each thread will answer requests. 80 is simply the service port that is being listened to...actual traffic back and forth takes place on other ports, I believe. These are allowed by the firewall because they aren't NEW connections, they are existing sockets that are simply adding new ports.
That is general info, you'll have to check into specifics yourself. Sorry its not more complete, I'm running out the door as soon as I post this!
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
February 26th, 2006, 10:10 PM
I had a look at http://www.iana.org/assignments/port-numbers and 53300 doesn't seem to be a well known port. Nor did google return anything, of signifigance. HTTP does not redirect to another port.
First... are you sure port 53300 is not on their side, or a loopback, or a service you've moved to that port and forgotten... you appear to be running an FTPd so it could be one of the FTP data ports, usually a range over 1024.
February 26th, 2006, 11:21 PM
This issue was solved 10 days ago by refreshing my external ip address. I never did figure out how that connection was inbound on that port but I think zencoder nailed it. Thanks for the input though.
February 27th, 2006, 12:07 AM
Don't know if this will help or not, however, a couple of my son's online games use that port for outbounders...I see it all the time on the log.
Connection refused, try again later.
February 27th, 2006, 09:07 AM
No, it doesn't.. Apache (and any other webserver) will listen AND respond from port 80.. No other ports will be used.. FTP and RPC on the other hand will define a random port to transfer the data..
Originally posted here by zencoder
I believe some app's will create a new socket elsewhere (53000 for example) once a valid connection has been initiated. Like apache...httpd will spawn multiple threads, and each thread will answer requests. 80 is simply the service port that is being listened to...actual traffic back and forth takes place on other ports, I believe.
Experience is something you don't get until just after you need it.