-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday, 02 May 2012 15:56 -0700,
in article <michelle->,
Michelle Steiner <> wrote:
> In article < >,
> David Ritz <> wrote:
>> As to your question of why one doesn't want these ports to be world
>> accessible, the answer has to do with whether of not one wants
>> anyone in the world to be able to access these ports and their
>> associated services. If you answer yes, you may just have flunked
>> your driver's license test for the infobahn.
> But if those ports are blocked, how can there be legitimate access
> from the world?
OK. Let's go back to your original post in this thread. I've
narrowed the list of open ports you posted, to those identified by
name in your port scan.
> In article <michelle->,
> Michelle Steiner <> wrote:
>> Open TCP Port: 88 kerberos
kerberos-sec 88/tcp 0.006072 # Kerberos (v5)
kerberos-sec 88/udp 0.013476 # Kerberos (v5)
Do you want everyone on the Internet, whether or not you've authorized
them, to have access to security software and services running on your
Mac?
>> Open TCP Port: 515 printer
printer 515/tcp 0.007214 # spooler (lpd)
printer 515/udp 0.011022 # spooler (lpd)
Do you want everyone on the Internet, whether or not you've authorized
them, to have access to your printer spool and Laser Printer Daemon?
>> Open TCP Port: 548 afpovertcp
afp 548/tcp 0.012395 # AFP over TCP
afp 548/udp 0.000774 # AFP over UDP
Do you want everyone on the Internet, whether or not you've authorized
them, to have access to your Apple Filing Protocol shares and network
services?
>> Open TCP Port: 631 ipp
ipp 631/tcp 0.006160 # Internet Printing Protocol -- for one
implementation see
http://www.cups.org (Common UNIX Printing System)
ipp 631/udp 0.450281 # Internet Printing Protocol
Do you want everyone on the Internet, whether or not you've authorized
them, to be able to use your IP connected printer?
>> Open TCP Port: 3689 daap
rendezvous 3689/tcp 0.002283 # Rendezvous Zeroconf (used by
Apple/iTunes)
daap 3689/udp 0.000330 # Digital Audio Access Protocol
Do you want everyone on the Internet, whether or not you've authorized
them, to be able to access your iTunes library? It's only intended
for sharing over a local network.
Here, we need to distinguish between private IP space and public IP
space. Behind your firewall, it appears that you are using services,
locally, which are not accessible to the outside world. That's a good
thing.
I, on the other hand, have _chosen_ to globally open two ports, for
WWW and Secure Shell. The result is, I see as many as several hundred
break-in or exploit attacks on those ports, on any given day. Many of
the sources of these attacks end up in my local ipfw.conf.
Here's an example from yesterday.
$ grep -c sshd.\*61.136.171.198 /var/log/secure.log
104
That indicates 104 intrusion attempts from that single IP address.
$ whois -A 61.136.171.198|iprange2cidr.pl
61.136.128.0/17
The IP address in question is assigned, by APNIC, to CHINANET-HB.
CHINANET-HB uses poorly conceived mail filters, which prevents most
abuse complaints from reaching their NIC designated POC,
<abuse_hb[at]public.wh.hb.cn>.
$ grep 61.136.128.0\/17 /etc/ipfilter/ipfw.conf
add 10050 deny ip from 61.136.128.0/17 to any in
If CHINANET-HB isn't willing to accept reports of network attacks or
other abuse, I'm not willing to allow their IP space to have access to
my property. As a result, I'm currently blocking all of CHINANET-HB.
$ whois -A CHINANET-HB|iprange2cidr.pl
27.16.0.0/12
58.48.0.0/13
59.172.0.0/14
61.136.128.0/17
61.183.0.0/16
61.184.0.0/16
103.22.80.0/22
111.170.0.0/16
111.172.0.0/14
111.176.0.0/13
116.207.0.0/16
116.208.0.0/14
119.96.0.0/13
121.60.0.0/14
171.40.0.0/13
171.80.0.0/14
171.112.0.0/14
202.103.0.0/18
202.110.128.0/18
219.138.0.0/15
219.140.0.0/16
221.232.0.0/14
Right now, I'm composing this message on my world facing box, via SSH,
Secure SHell, while I'm actually depressing the keys on my laptop, in
another room. I could as easily be doing the same, using any Internet
connected computer with an SSH client, from any location in the world.
(This assumes that the IP address from which I wish to access the
server, isn't already blocked by my home brew ipfw rules. [ipfw --
BSD IP firewall and traffic shaper control program])
I'm not suggesting that you open holes in your world facing firewall.
Doing so opens a nasty can of worms. For now, you appear to be safely
behind a firewall. That firewall may exist in your cable modem or
gateway, which presumedly places your router and computer(s) safely
behind it.
- --
David Ritz <>
"(The Internet is) the largest equivalence class in the reflexive
transitive symmetric closure of the relationship `can be reached by
an IP packet form'." - Seth Breidbart
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>
iEYEARECAAYFAk+h3iUACgkQUrwpmRoS3utu8ACaAxyEutdM0g rEMq8LbUw5ppWO
l3UAn2yVfmQEciEEjPr09tCveS/4r4J2
=342t
-----END PGP SIGNATURE-----
Similar Threads
Linear Mode
