Hi,
There was a firewall change in our company. That went smooth except one part. Firewall team said that, they are seeing some failure on some randon ports. Few days back also they found 2 ports and they allowed it. Today again they see two new ports. So it looks like those ports are random.
Here is the denial message, in firewall terms :
Code:
USER-6-RT_FLOW_SESSION_DENY: session denied 192.168.75.246/896->192.168.70.133/55622 0x0 None 17(0) 9999999(global) core emer-app
USER-6-RT_FLOW_SESSION_DENY: session denied 192.168.75.247/896->192.168.70.134/44283 0x0 None 17(0) 9999999(global) core emer-app
192.168.75.246 and 192.168.75.247 are a UNIX client
192.168.70.133 and 192.168.70.134 are NIS server.
When I login to both NIS server and tried to find these ports, these are ypbind
Code:
nis-serv3 # /usr/local/bin/lsof -i:55622
nis-serv3 # /usr/local/bin/lsof -i:44283
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ypbind 597 root 4u IPv4 0x30125a010d8 0t0 UDP *:44283 (Idle)
nis-serv3 # ps -ef | grep 597
root 597 1 0 Jul 01 ? 28:42 /usr/lib/netsvc/yp/ypbind
nis-serv3 #
-------------------
nis-serv4 # /usr/local/bin/lsof -i:55622
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ypbind 5805 root 4u IPv4 0x30001c93838 0t0 UDP *:55622 (Idle)
nis-serv4 # /usr/local/bin/lsof -i:44283
nis-serv4 # ps -ef | grep 5805
root 25331 20193 0 17:45:48 pts/1 0:00 grep 5805
root 5805 1 0 Jul 01 ? 24:11 /usr/lib/netsvc/yp/ypbind
nis-serv4 #
Now the concern is, why these are random ports? Everytime, I reboot NIS server or there is a change, NIS queries will be denied and firewall team needs to be involved. Is there any range of ports or known ports, which should be know to us and should be already added on firewall?
Please suggest.
--------------------------------
Update: I learned that these random ports are ephemeral ports, which can keep changing when service restarts and they are firewalled. If that is the case, they will need to be un-firewalled or the problem will persist.
Will it not be security risk to have them open, or it should be applied on the firewall in a different way?
Thanks