Re: udp port 1025 - Chris Brenton

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chris Brenton <cbrenton@chrisbrenton.org>
To: Askar <askarali@gmail.com>
Cc: netfilter <netfilter@lists.netfilter.org>
Subject: Re: udp port 1025
Date: Mon, 20 Sep 2004 05:56:14 -0400	[thread overview]
Message-ID: <1095674173.1779.88.camel@grendel> (raw)
In-Reply-To: <a0f69e5040920004411e0eeb6@mail.gmail.com>

On Mon, 2004-09-20 at 03:44, Askar wrote:
>
> iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
> iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
> iptables -A OUTPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
> 
> when I do "tail -f /var/log/messages", I found lot of below messages
> 
> what mean by all this, can someone care to explain/clear things to me? :)
> may I remove the above iptables rules?

Trying to stop pop-up ads maybe? Windows grabs one of more ports between
1025-1029 and holds them open for RPC functions. The result is spammers
can use them to send pop-up ads to the client. There have also been some
Windows based viruses that propagate on 1025 so the previous admin may
have used -s 0/0 because internal system were becoming infected and
going after hosts on the Internet.

What's kind of odd to me is that the logs you posted are for named and
the above rules limit TCP. Named usually uses UDP for queries which
leaves two possibilities:

1) You have a FORWARD rule someplace else that limits UDP/1025
2) These were queries with large answers (>512 bytes packet size), thus
TCP was invoked. 

So its safe to remove this restriction outbound provided your internal
systems are not infected. I would leave this restriction in place for
inbound traffic and just let in replies statefully. 

HTH,
Chris

     prev parent reply	other threads:[~2004-09-20  9:56 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-09-20  7:44 udp port 1025 Askar
2004-09-20  8:37 ` Mohamed Eldesoky
2004-09-20  9:37   ` Andrew Schulman
2004-09-20  9:56 ` Chris Brenton [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1095674173.1779.88.camel@grendel \
    --to=cbrenton@chrisbrenton.org \
    --cc=askarali@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.