why would a mirror want to hit port 5949 or 15076?
David Timms
dtimms at bigpond.net.au
Sat Feb 25 06:48:19 UTC 2006
Brian Millett wrote:
> Hello, A question about ports.
>
> I tried to go to mirror ftp://fedora.namibia.na and when I did, my
> firestarter lit up with two events from 196.44.128.220 which is the
> fedora.namibia.na site. They were ICMP requests on ports 5949 & 15076.
My understanding is that ICMP does not have ports, but does have various
types. The ports given seem more like either udp or tcp port numbers...
> Why? What are those ports? A google really gave me nothing.
ethereal-gnome.
Capture everything for your connected net connection. Repeat what you
mentioned triggered the detection, then stop the ethereal capture.
Try filtering the capture on:
icmp
tcp
udp
tcp and not tcp.port==80 (ie filter out normal web port).
not tcp.port==80
and see if you/we can make sense of the capture.
Perhaps it is really tcp ports for an active ftp connection: this is
where when you request a file, the ftp server creates a new inbound data
connection to the connected address. Two ways around it:
. tell the ftp client to use passive mode instead.
. use the ftp application layer gateway (ftp connection track) in iptables.
DaveT.
More information about the test
mailing list