[StartingOver]

Gregory D Hough mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org
Sat Feb 14 03:40:26 UTC 2004


On 02/13/2004 10:06:18 AM, Mike Waychison wrote:
> Gregory D Hough wrote:
>> 
>> default firewall is
>> handling certain connection requests. Most notably is the way  
>> Shorewall on Mandrake (out-of-the-box) treats ICMP (8) and port 135.  
>> Pings are dropped which is a good thing, but SYN packets to 135 go  
>> to a reject chain and are ultimately sent a ZeroWindow RST ACK. I  
>> thought this port was akin to a Windows specific vulnerability with  
>> DCOM services. Why would a Linux firewall be treating it differently  
>> in not just dropping it altogether?
> 
> It isn't treating it differently.  A RST|ACK packet is sent in reply  
> to a SYN packet when the port in question does not have anything  
> listening on it.  This is normal and complies with RFC 793 (page 65,  
> "SEGMENT ARRIVES - State is CLOSED").

Thanks for the RFC...But,
No other ports without a listening service return an RST ACK to the  
sending host. They are merely dropped. Only 135 is treated in this way.  
I believe there is a more important reason why...besides, as I  
understand it, this is a normal response for ALL closed ports with NO  
firewall in place.
> 
>> 
>> 65.203.175.213:666 > 66.203.175.213:1026 in the form of a Messenger   
>> NetrSendMessage request DCE RPC trying to tell me how to disable  
>> pop-ups and to go to www dot messagestop dot net.
> 
> First off, the Messenger warning and all the 'ads' popping up on  
> people's computers has nothing to do with the MSN Messenger IM  
> service. It is a different Messenger RPC service enable by default on  
> many windows hosts.

I knew that, but it's not the CRUX of the biscuit I'm gnawing on. My  
concern is the source address resembling the destination except for the  
left most bit. I don't know enough about broadcast, multicast, unicast,  
netmask etc. to dismiss it as mere coincidence. To me it looks sinister  
in nature, a weird kind of spoofing or bit juggling.

Martin Duclos wrote:
> This is slightly off topic, but why don't you chuck the winNT box
> alltogether if only used for MSN messenger. Gaim is a great gui for
> instant messenger

It's just the tip of the venerable iceberg of irregularities I  
observed, eminating from nat'd winboxes on the old network. I choose NT  
this time around because it was cheap and offered me a little more  
security control than Win98 did. I'd ditch Windows completely if all  
hardware were fully supported on Linux. One doesn't buy a young person  
an expensive digital camera (with Linux support) especially when he/she  
is clumsy. The 50 buck model will do until the young ones mature, learn  
the value of a dollar and gain some balance. Hence the need to keep a  
Winbox on the network.

Anton Markov wrote:
> Another great messaging program for Linux is Kopete. It supports MSN,
> AIM, ICQ, etc. It has all the admirable traits of Gaim including
> ability to re-name contacts, but also has support for MSN file
> transfer.

I appreciate the suggestion, but if the kids got wind of that file  
transfer thing in Linux, there would be no end to my troubles.

Let me rephrase the original question for part II. What are the odds of  
a class A host getting hit by the identical host on the next lowest  
class A? About 4 billion to one give or take a couple hundred million?

It's Friday the 13th, I should just leave it at that.

BTW- Thanks for the MSN messenger alternatives.

farmer6re9
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list