[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] multiple connections using service 32778
I have built FW's on Solaris and I have seen these connections too. If you put a utility called "lsof" on your box, you can see the process which is using the particular ports. It's helped me sleep better on a number of occaisions. I think in your case I think you'll see that the Firewall process has them. (eg: I think you're probably ok). You can get lsof from www.sunfreeware.com To see which process has which port, type lsof -i :<port#> eg: to see all current connections on port 80, type ./lsof -i :80 <enter> lsof can do a whole lot more. Highly reccomended. What a bargain. ;-) re: sun box for FW duty - unless you absolutely need the CDE, you should be able to disable rpc services entirely IIRC (if you have not already) . I'd reccomend taking out the references in the config files as well as deleting the binary to things like FTP, Telnet, Sendmail, etc. There are a number of good "how to's" out there if you need one or just want a different perspective. Not sure why the stealth rule does not stop this completely, must be something about the way that CP deals with some kinds of connections (how it evaluates them).. I dunno. It bugs me too FWIW. Lastly, there are a number of firms out there working on developing dynamic routing protocols who use high # UDP ports usually. I have called a couple to find out what they're up to when I've seen the logs go by.. I'll get splatted with hundreds of hits on a high port.. Lately I've had lots of stuff stopped on port tcp/51092. That seems to be the port du jour. HTH, Joe Pampel >>> Robert Woods <[email protected]> 10/22/01 11:35AM >>> Hello Elisabeth, This is all I could find on port 32778. Port 32778 / tcp Keyword sometimes-rpc19 Description Sometimes an RPC port on my Solaris box (rstatd) Port 32778 / udp Keyword sometimes-rpc20 Description Sometimes an RPC port on my Solaris box (rstatd) Haven't seen such activity on my boxes. Robert Woods -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Elisabeth Wonders Sent: Monday, October 22, 2001 10:36 AM To: [email protected] Subject: [FW-1] multiple connections using service 32778 During a 15 minute span this morning, my active log showed 40-50 connections from about 10 different source IPs (some of which I could resolve, some not) to my firewall, all using service 32778. One of the IP's had 20 concurrent connections. Two questions: What is that service used for? It was listed as unassigned at IANA's site http://www.iana.org/assignments/port-numbers Why did my "Any -- firewall -- Any -- Drop" rule not catch this? I've added a rule just to block this mystery traffic until I get a handle on what it is. TIA for any help/opinions you may have to offer. Elisabeth =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|