[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] multiple connections using service 32778
Another possibility is if you're using Firewall-1 smtp security server to protect an internal mail server. The firewall intercepts any incoming SMTP connections to your mail server and will talk to the remote server on a port somewhere round about 32778 as you mentioned, although this port varies. Go on to your firewall server and do a "netstat" to see what connections you have open, if using Solaris, grep for port 32778. This will show all the active connections and resolve them if possible. Look for the ones on port 32778 and you can test them to see if they are mail servers by trying a telnet to them on port 25 telnet mailserver.ipaddressordomainname.com 25 If all these connections are from mail servers then this is what you're seeing in your logs. Your firewall rule "Any -- firewall -- Any -- Drop" does not catch this because it's being accepted by a rule allowing SMTP to your mail server and then is handled by the SMTP security server on this different port. Just one possibility no doubt, hope it helps. Regards, Paul. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Christian Gresser Sent: 22 October 2001 16:39 To: [email protected] Subject: [FW-1] AW: [FW-1] multiple connections using service 32778 Hello Elisabeth, looks like you are running Sun Solaris somewhere, because this is one of the ports Solaris regularly uses for an RPC service. Try 'rpcinfo -p' on the offending system (if it is Sun) and check for a rule, allowing RPC traffic. Check Point defines RPC as an RPC service number (like 100003 is NFS) independent of the port and automatically tracks the ports. Chris. > -----Ursprüngliche Nachricht----- > Von: Elisabeth Wonders [mailto:[email protected]] > Gesendet: Montag, 22. Oktober 2001 16:36 > An: [email protected] > Betreff: [FW-1] multiple connections using service 32778 > > > During a 15 minute span this morning, my active log showed 40-50 > connections from about 10 different source IPs (some of which I could > resolve, some not) to my firewall, all using service 32778. > One of the > IP's had 20 concurrent connections. > > Two questions: > > What is that service used for? It was listed as unassigned > at IANA's site > http://www.iana.org/assignments/port-numbers > > Why did my "Any -- firewall -- Any -- Drop" rule not catch this? > > I've added a rule just to block this mystery traffic until I > get a handle > on what it is. > > TIA for any help/opinions you may have to offer. > > Elisabeth > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ********************************************************************** This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. ********************************************************************** =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|