namp show me a 1720 open port ??

[killa74]

Hello,

I install a OpenBSD 4.4 whit:

Apache (listen on ext_if)
Postfix (listen on ext_if) + clamav (listen localhost) + spamassassin (listen localhost)
bind (listen int_if)
pf configured to use the ftp-proxy for clients

But when i scan my ext_if with nmap i show the port 1720 open.

Nothing on inetd.conf !!

I know this port can be use for communicate vi the H323 protocole but i don't use it.

How can i know why this port is open and how can block it.

if you want more detail on my config tell me.

Thank's

[DutchDaemon]

What does sockstat -4 -p 1720 produce?

[killa74]

Sorry,

but i don't have this command. And i dont find this package in my PKG_PATH.

May be it's include in another package ??

Can you tell where wan i find this ?

I thinks this port is dynamicly open like a inetd services because when i do a netstat -an |grep LISTEN i don't see this port.


Thank's

[DutchDaemon]

sockstat is part of the FreeBSD base system. I had hoped it would be part of OpenBSD's as well. There's a python script that emulates its behaviour:

http://wiki.e-shell.org/OpenBSDSockstat

[killa74]

Tkank's for you quickly answer.

I test this .

[killa74]

So,

I install python 2.5 et download the e-shell

this is my output when i try

sockstat -l4 (and i connect from outside with telnet on the port 1720)

www httpd 13355 17* internet stream tcp 0xd849cc80 *:80
www httpd 3961 17* internet stream tcp 0xd849cc80 *:80
www httpd 28532 17* internet stream tcp 0xd849cc80 *:80
_clamav perl 3805 6* internet stream tcp 0xd8376e14 127.0.0.1:10024
_clamav perl 17851 6* internet stream tcp 0xd8376e14 127.0.0.1:10024
_clamav perl 29659 6* internet stream tcp 0xd8376e14 127.0.0.1:10024
_mysql mysqld 16257 16* internet stream tcp 0xd8376c84 127.0.0.1:3306
root couriertcpd 14199 3* internet stream tcp 0xd83767d4 127.0.0.1:143
_spamd spamd 19134 4* internet stream tcp 0xd8376194 *:8025
_spamd spamd 19134 5* internet stream tcp 0xd8376324 127.0.0.1:8026
_spamd spamd 1598 4* internet stream tcp 0xd8376194 *:8025
_spamd spamd 1598 5* internet stream tcp 0xd8376324 127.0.0.1:8026
_spamd spamd 2714 4* internet stream tcp 0xd8376194 *:8025
_spamd spamd 2714 5* internet stream tcp 0xd8376324 127.0.0.1:8026
www httpd 4466 17* internet stream tcp 0xd849cc80 *:80
www httpd 20633 17* internet stream tcp 0xd849cc80 *:80
www httpd 15699 17* internet stream tcp 0xd849cc80 *:80
www httpd 27640 17* internet stream tcp 0xd849cc80 *:80
www httpd 14502 17* internet stream tcp 0xd849cc80 *:80
root sshd 5086 5* internet stream tcp 0xd8376004 *:22
proxy ftp-proxy 24303 3* internet stream tcp 0xd849c960 127.0.0.1:8021
www httpd 21704 17* internet stream tcp 0xd849cc80 *:80
root master 24553 12* internet stream tcp 0xd849c640 127.0.0.1:25
root master 24553 13* internet stream tcp 0xd849c7d0 x.x.x.x:25
root master 24553 89* internet stream tcp 0xd849caf0 127.0.0.1:10025
named named 10908 21* internet stream tcp 0xd849c190 127.0.0.1:53
named named 10908 22* internet stream tcp 0xd849c000 x.x.x.x:53
named named 10908 23* internet stream tcp 0xd849c4b0 127.0.0.1:953
named named 10908 513* internet dgram udp 127.0.0.1:53
named named 10908 514* internet dgram udp x.x.x.x:53
named named 10908 515* internet dgram udp *:14149
_syslogd syslogd 22674 4* internet dgram udp *:514

This port is not present in the output.

bizzard bizzard

[jggimi]

OpenBSD has the fstat(1) program which can show an application that has a TCP or UDP open port; e.g.:

$ fstat | grep :1720

But an application does not have to be listening to the port for it to be open -- if pf(4) is being used, a rdr rule may open the port.

[killa74]

I don't understand you last reply, but fstat commad show me nothing.
I say that :
1 - I don't use any progs who listen on this port
2 - I use PF to filtre all traffic
3 - When i do a netstat this port is not LISTEN but when i scan the interface it say 1720 open port H323.

This is my pf.conf.

#Declaration des interfaces
ext_if="fxp1"
int_if="fxp2"
wifi_if="ath0"

good_if="{ 127.0.0.1, fxp2, ath0 }"

#Services accessible depuis le web
web_services="{ 22, 25, 80}"

#Services web accessible depuis le LAN
tcp_lan_services="{ 80, 22, 443, 1863}"
udp_lan_services="{ 1863 }"

#Acces DNS local
dns_services="{ 53 }"

#Free DNS
dns_free="212.27.53.252"

#Loopback
loopback="127.0.0.1"

#Declaration des tables
table <good> { 192.168.16.0/24 }
table <wifi> { 192.168.1.0/24 }

#les mechants
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

#Ne pas filtrer lo
set skip on { lo0 }

#Re-assemblage des paquets
scrub in all

#Activation du NAT sur ext_if
nat on $ext_if from !($ext_if) -> ($ext_if:0)

#Activation du proxy ftp
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from $good_if to any port 21 -> 127.0.0.1 port 8021

#Tout bloquer par defaut
block in all
block return

#On garde l'etat des paquets sortants
pass out keep state

#Declaration de l'ancre pour le proxy ftp
anchor "ftp-proxy/*"

#Antispoof
antispoof log for { $ext_if, $wifi_if, $int_if }

#On bloque les adresse de la RFC 1928
block drop in log (all) quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians

#Autoriser les ports web_services sur l'interface externe
pass in on $ext_if inet proto tcp from any to $ext_if port $web_services flags S/SA keep state

#autoriser le serveur Ã* contacter le serveur dns de Free
pass out on $ext_if inet proto tcp from self to $dns_free port $dns_services flags S/SA keep state
pass out on $ext_if inet proto udp from self to $dns_free port $dns_services keep state
#----------------------------------------------------------------------------------------------------

#autoriser les pc Ã* contacter le serveur dns de free
#pass in on $int_if proto tcp from <good> to $dns_free port $dns_services flags S/SA keep state
#pass in on $int_if proto udp from <good> to $dns_free port $dns_services keep state

pass in on $wifi_if proto tcp from <wifi> to $dns_free port $dns_services flags S/SA keep state
pass in on $wifi_if proto udp from <wifi> to $dns_free port $dns_services keep state

#autoriser les pc Ã* contacter les serveurs web
pass in on $wifi_if proto tcp from <wifi> to port $tcp_lan_services flags S/SA keep state
pass in on $wifi_if proto udp from <wifi> to port $udp_lan_services keep state

Thank's

[jggimi]

Your pf.conf does not have a redirect for port 1720, only for port 21. Port 1720 is not being serviced by your OpenBSD system, as far as I can tell.

Port 1720 is used for Microsoft NetMeeting. Are you absolutely sure you are scanning the correct physical device? If you are testing connection to the OpenBSD platform via another router, you could be seeing a port redirection:

Code:

[nmap testing system] --- {NAT router} --- [OpenBSD]
                                 |
                                 |
                        [Windows system]

[BSDfan666]

As jggimi said, the service isn't running locally.. and pf clearly isn't redirecting the port..

So, either you're scanning the wrong external IP address.. or.. perhaps you have a NAT router with UPnP connected to your modem?

I must ask, do you use VoIP services of any kind?

[BSDfan666]

Does the following look familiar?
+-------------VoIP phone.
|
Modem
|
+-------------OpenBSD

[killa74]

Oki men.

<jggimi i right>

I understant what you say and after reflexion, i'm on my bisness lan behind a router who provide some Visio features in some rooms(i'm working in a hospital).

I'm telling a friend to scan my firewall and evrythings is OK.


Thank's a lot again.