Firewall Wizards mailing list archives
Re: PIXen spewing udp packets at port 111?!
From: Dave Mitchell <dmitchell () viawest net>
Date: Tue, 7 Jan 2003 12:59:48 -0700
Hey Ron, Just for clarity, can you tell me exactly the flow of data you are seeing. Is it from Sun boxes on your internal side just speaking outbound through your PIX on udp/111? Is it connecting to servers on the outside that some of your workstations are connecting to? You can turn of rpc.portmap by taking it out of your init script. Just change /etc/rc2.d/S71rpc (or your startup number) to /etc/rc2.d/XS71rpc and do the same in /etc/rc0.d and rc1.d for the kill scripts. -dave On Tue, Jan 07, 2003 at 02:30:49PM -0500, R. DuFresne wrote:
Howdy Dave, Thanks for the reply. Are you suggesting that the webhosts, indeed sun boxen, might be initiating the udp exchange with the gateway of the PAT'ed addresses behind it? My understanding, and it's a tad dated, and might be outdated, is that it's near to impossible <hoop jumping and kernel hacks if I recall> to tune out RPC on solaris, which is better trained via filtering and such. Is this still valid understanding, or dated? solaris 6 and 7 at present, with considerations of solaris 9 in some future context. Thanks, Ron DuFresne On Tue, 7 Jan 2003, Dave Mitchell wrote:I've never seen this on any PIX I've worked with. I'd first check that you don't have a problem with a *nix box running RPC portmap (tcp/udp 111). I'd first check any Solaris boxen. -dave On Mon, Jan 06, 2003 at 08:29:10PM -0500, R. DuFresne wrote:Out of curiosity, I'm wondering if the PIX admins on the list might be able to point me at the misconfiguration that would cause a PIX, doing PAT for one or more subnets behind it, might spew udp packets to port 111 on systems the PAT'ed users behind it are connecting to. The services offered to the users are FTP and HTTP, being web hosts and all. From the recent loging thread on pix'en, it seems to clarify why the admins we are dealing with have not been able to trace the issues on their end, and leads us to suspect the packets are from the pix itself rather then the clients behind it... Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIXen spewing udp packets at port 111?! R. DuFresne (Jan 07)
- Re: PIXen spewing udp packets at port 111?! Dave Mitchell (Jan 07)
- Re: PIXen spewing udp packets at port 111?! R. DuFresne (Jan 07)
- Re: PIXen spewing udp packets at port 111?! Dave Mitchell (Jan 07)
- Re: PIXen spewing udp packets at port 111?! Charles W. Swiger (Jan 07)
- Re: PIXen spewing udp packets at port 111?! Mordechai T. Abzug (Jan 07)
- Re: PIXen spewing udp packets at port 111?! R. DuFresne (Jan 07)
- <Possible follow-ups>
- RE: PIXen spewing udp packets at port 111?! R. DuFresne (Jan 08)
- Re: PIXen spewing udp packets at port 111?! Dave Mitchell (Jan 07)