[StartingOver]

Mike Waychison mike-DlQxw/23Tq2aMJb+Lgu22Q at public.gmane.org
Fri Feb 13 15:06:18 UTC 2004 

Gregory D Hough wrote:
> Greetings tlug,
> 
> Although I have four years of Linux under my belt, the more I learn the  
> less I know. My Lin/Win network fell apart, rather I TOOK it apart. I  
> saw things I didn't understand and felt it best to start over from  
> scratch.
> 
> I wish to begin rebuilding from the firewall. One thing I noticed right  
> from the get-go is the way a default firewall is handling certain  
> connection requests. Most notably is the way Shorewall on Mandrake  
> (out-of-the-box) treats ICMP (8) and port 135. Pings are dropped which  
> is a good thing, but SYN packets to 135 go to a reject chain and are  
> ultimately sent a ZeroWindow RST ACK. I thought this port was akin to a  
> Windows specific vulnerability with DCOM services. Why would a Linux  
> firewall be treating it diffently in not just dropping it altogether?

It isn't treating it differently.  A RST|ACK packet is sent in reply to 
a SYN packet when the port in question does not have anything listening 
on it.  This is normal and complies with RFC 793 (page 65, "SEGMENT 
ARRIVES - State is CLOSED").

> 
> Secondly, call me a geek, but I get more enjoyment watching tcpdump  
> than network TV and this just came in:
> 
> 65.203.175.213:666 > 66.203.175.213:1026 in the form of a Messenger  
> NetrSendMessage request DCE RPC trying to tell me how to disable pop- 
> ups and to go to www dot messagestop dot net. I'm not concerned with  
> this traffic on this machine, but as I rebuild the network I've had to  
> give the kids a WinNT box to run that cludge called MSN Messenger. And  
> although I've done my best to DCOMbobulate that machine, I'd feel a  
> whole lot better putting it back behind a real firewall ASAP. This  
> particular set of packets is brand new to me, and the remarkable  
> similarity to my current IP address is disturbing. I believe it is no  
> coincidence and wish to bring the new network back up prepared for  such.

First off, the Messenger warning and all the 'ads' popping up on 
people's computers has nothing to do with the MSN Messenger IM service. 
    It is a different Messenger RPC service enable by default on many 
windows hosts.
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list