I was looking through my firewall logs today and found some entries that indicated my public ip addresses were being scanned for port 111. What is unusual about this is the firewall is behind a router with an ACL on the external interface that specifically denies port 111. I reviewed the ACL to make sure there were no holes in it which would allow this traffic through, but did not see anything. I had another engineer look it over and he saw nothing that would allow it through either. All the source ports were above 53,000 and all the entries were from the same source IP. I added a deny for the source IP to the top of the ACL to hopefully block any future scans.

The ACL is scripted to allow only traffic through to specific IP/port combinations. I checked to make sure the ACL was applied to the external interface and it was. Is there a new exploit that allows traffic to bypass ACL's? Does anyone have any ideas what might have caused this?

We have no external exposure on port 111, but if something can punch through the ACL, I am greatly concerned about other ports.

"Any sufficiently advanced technology is indistinguishable from magic."

- Arthur C. Clarke