Re: odd message showing up logs...

[jlgaddis () BLUERIVER NET (Jeremy Gaddis)]

At 11:38 PM 5/3/00 -0800, Josh Burroughs wrote:

> May  3 22:14:12 discworld portmap[2371]: connect from 24.237.52.26 to
> callit(390109): request from unauthorized host

> Ok discworld is the name of my server, it's a linux box, RH6.1, has a
> pretty tight firewall plus uses tcp wrappers, only machines inside my
> little private network have access to most serives, http is open and a
> handful of hosts have ftp access. I am running NFS and I do have port 111
> tcp/udp block in the firewall. This entry just strikes me as odd and I was
> hoping someone could explain what it means. Thanks in advance.

It means your firewall isn't "pretty tight".  If only machines inside your
private network have access to most services, why was 24.237.52.26 not
blocked by your firewall?  You shouldn't ever see a connection in the logs,
you should see a log entry where the packets to establish the connection
were denied by your firewall (when properly configured, that is).

May I suggest the usual method of firewalling?  Deny everything, then allow
only what you explicitly need, from specific hosts.  If 24.237.52.26 isn't
allowed to access portmap, why did the packets make it through the firewall?
You may want to reconsider your firewall configuration.

-jg

--
Jeremy L. Gaddis      <jlgaddis () blueriver net>