off-topic ports 1720 and 6000-6009 shown even though they should be filtered
Bill Davidsen
davidsen at tmr.com
Wed Mar 18 18:30:29 UTC 2009
Phill wrote:
> I know this isn't RHEL support, but I thought I'd ask this question anyways, see if you gurus know what might be going on. I have a rhel 5 web/ftp server. I'm using iptables to filter all ports except 21 and 80. Yet if I do an nmap of the server, this is the output I get.
> -------------------------------
> PORT STATE SERVICE
> 21/tcp open ftp
> 80/tcp open http
> 1720/tcp open H.323/Q.931
FYI: http://www.packetizer.com/ipmc/h323/papers/primer/
VOIP, do you run Vonage or Skype? In any case the port is open, but nothing is
listening (at the time you ran the probe).
> 6000/tcp closed X11
> 6001/tcp closed X11:1
> 6002/tcp closed X11:2
> 6003/tcp closed X11:3
> 6004/tcp closed X11:4
> 6005/tcp closed X11:5
> 6006/tcp closed X11:6
> 6007/tcp closed X11:7
> 6008/tcp closed X11:8
> 6009/tcp closed X11:9
> 6017/tcp closed xmail-ctrl
> 6050/tcp closed arcserve
I *think* this is one of those cases where the port generates a REJECT vs. DROP
in iptables, meaning that instead of ignoring packets it returns a "go away"
ICMP packet of some kind.
> ---------------------------------
>
> Note the listening port 1720, netstat shows no service listening
> Should be irrelevant since the only traffic I'm accepting is port 21 and port 80, and related established. Shouldn't this output just show me port 21 and port 80 open and nothing else?
>
Related discussion: I wish I could return a "host unreachable" packet which made
it look as if there was no computer on the net. AFAIK you can't, because the
source IP is that of the host which can't be reached, and most ISPs get unhappy
if you SNAT the packet to appear to come from their router. At least mine do, I
tried, and one called me while the other dropped the packet.
In any case you're protected.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list