udp port 1025

udp port 1025

[Askar]

hi all

Im taking care of a fw machine that is configured by my predecsssor,
firewall being configure by default policies to ACCEPT for all chain
(coz he thinks its difficult of an ISP to run firewall as default set
to DROP)
however for the time being this is not my concern but here are few
lines from script that confusing for me

iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
iptables -A OUTPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP

when I do "tail -f /var/log/messages", I found lot of below messages

Sep 20 12:26:35 guru named[12308]: client xxx.xx.xxx.xx#1025: error
sending response: host unreachable
Sep 20 12:26:37 guru named[12308]: client xxx.xx.xxx.xxx#1025: error
sending response: host unreachable
Sep 20 12:26:37 guru named[12308]: client xxx.xx.xxx.xx#1025: error
sending response: host unreachable
Sep 20 12:26:37 guru named[12308]: client xxx.xx.xxx.xx#1025: error
sending response: host unreachable
Sep 20 12:26:38 guru named[12308]: client xxx.xx.xxx.xx#1025: error
sending response: host unreachable
Sep 20 12:26:39 guru named[12308]: client xxx.xx.xxx.xxx#1025: error
sending response: host unreachable

what mean by all this, can someone care to explain/clear things to me? :)
may I remove the above iptables rules?

regards
Askar
-- 
(after bouncing head on desk for days trying to get mine working, I'll make
yer life a little easier)

Re: udp port 1025

[Mohamed Eldesoky]

Search in google, and feel lucky

http://www.linklogger.com/TCP1025.htm

On Mon, 20 Sep 2004 13:44:18 +0600, Askar <askarali@gmail.com> wrote:
> hi all
> 
> Im taking care of a fw machine that is configured by my predecsssor,
> firewall being configure by default policies to ACCEPT for all chain
> (coz he thinks its difficult of an ISP to run firewall as default set
> to DROP)
> however for the time being this is not my concern but here are few
> lines from script that confusing for me
> 
> iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
> iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
> iptables -A OUTPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
> 
> when I do "tail -f /var/log/messages", I found lot of below messages
> 
> Sep 20 12:26:35 guru named[12308]: client xxx.xx.xxx.xx#1025: error
> sending response: host unreachable
> Sep 20 12:26:37 guru named[12308]: client xxx.xx.xxx.xxx#1025: error
> sending response: host unreachable
> Sep 20 12:26:37 guru named[12308]: client xxx.xx.xxx.xx#1025: error
> sending response: host unreachable
> Sep 20 12:26:37 guru named[12308]: client xxx.xx.xxx.xx#1025: error
> sending response: host unreachable
> Sep 20 12:26:38 guru named[12308]: client xxx.xx.xxx.xx#1025: error
> sending response: host unreachable
> Sep 20 12:26:39 guru named[12308]: client xxx.xx.xxx.xxx#1025: error
> sending response: host unreachable
> 
> what mean by all this, can someone care to explain/clear things to me? :)
> may I remove the above iptables rules?
> 
> regards
> Askar
> --
> (after bouncing head on desk for days trying to get mine working, I'll make
> yer life a little easier)
> 
> 



-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: udp port 1025

[Andrew Schulman]

>> iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
>> iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
>> iptables -A OUTPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
>
> http://www.linklogger.com/TCP1025.htm

Er... that's TCP.  But Mohamed is right, look around for some port lists.  I
don't see 1025/UDP on any of them.  E.g.
http://www.iss.net/security_center/advice/Exploits/Ports/ doesn't list any
particular use for 1025/UDP (or TCP either), except that it's the first
user-allocable port, so it's not surprising that some hosts should be using
it.

So I say get rid of those rules.
A.

Re: udp port 1025

[Chris Brenton]

On Mon, 2004-09-20 at 03:44, Askar wrote:
>
> iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
> iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
> iptables -A OUTPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP
> 
> when I do "tail -f /var/log/messages", I found lot of below messages
> 
> what mean by all this, can someone care to explain/clear things to me? :)
> may I remove the above iptables rules?

Trying to stop pop-up ads maybe? Windows grabs one of more ports between
1025-1029 and holds them open for RPC functions. The result is spammers
can use them to send pop-up ads to the client. There have also been some
Windows based viruses that propagate on 1025 so the previous admin may
have used -s 0/0 because internal system were becoming infected and
going after hosts on the Internet.

What's kind of odd to me is that the logs you posted are for named and
the above rules limit TCP. Named usually uses UDP for queries which
leaves two possibilities:

1) You have a FORWARD rule someplace else that limits UDP/1025
2) These were queries with large answers (>512 bytes packet size), thus
TCP was invoked. 

So its safe to remove this restriction outbound provided your internal
systems are not infected. I would leave this restriction in place for
inbound traffic and just let in replies statefully. 

HTH,
Chris