NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] multiple connections using service 32778



Another possibility is if you're using Firewall-1 smtp security server to
protect an internal mail server.  The firewall intercepts any incoming
SMTP
connections to your mail server and will talk to the remote server on a
port
somewhere round about 32778 as you mentioned, although this port varies.

Go on to your firewall server and do a "netstat" to see what connections
you
have open, if using Solaris, grep for port 32778.  This will show all the
active connections and resolve them if possible.  Look for the ones on
port
32778 and you can test them to see if they are mail servers by trying a
telnet to them on port 25

telnet mailserver.ipaddressordomainname.com 25

If all these connections are from mail servers then this is what you're
seeing in your logs.  Your firewall rule

"Any -- firewall -- Any -- Drop"

does not catch this because it's being accepted by a rule allowing SMTP to
your mail server and then is handled by the SMTP security server on this
different port.

Just one possibility no doubt, hope it helps.

Regards,
Paul.

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of
Christian Gresser
Sent: 22 October 2001 16:39
To: [email protected]
Subject: [FW-1] AW: [FW-1] multiple connections using service 32778


Hello Elisabeth,

looks like you are running Sun Solaris somewhere,
because this is one of the ports Solaris regularly
uses for an RPC service.

Try 'rpcinfo -p' on the offending system (if it is
Sun) and check for a rule, allowing RPC traffic.
Check Point defines RPC as an RPC service number
(like 100003 is NFS) independent of the port and
automatically tracks the ports.

Chris.

> -----Ursprüngliche Nachricht-----
> Von: Elisabeth Wonders [mailto:[email protected]]
> Gesendet: Montag, 22. Oktober 2001 16:36
> An: [email protected]
> Betreff: [FW-1] multiple connections using service 32778
>
>
> During a 15 minute span this morning, my active log showed 40-50
> connections from about 10 different source IPs (some of which I could
> resolve, some not) to my firewall, all using service 32778.
> One of the
> IP's had 20 concurrent connections.
>
> Two questions:
>
> What is that service used for?  It was listed as unassigned
> at IANA's site
> http://www.iana.org/assignments/port-numbers
>
> Why did my "Any -- firewall -- Any -- Drop" rule not catch this?
>
> I've added a rule just to block this mystery traffic until I
> get a handle
> on what it is.
>
> TIA for any help/opinions you may have to offer.
>
> Elisabeth
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



**********************************************************************
This message may contain information which is confidential
or privileged.  If you are not the intended recipient, please
advise the sender immediately by reply e-mail and delete this
message and any attachments without retaining a copy.

**********************************************************************

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.