Comments on: A chink in the AirPort armor?

By: Billy Halsey

Billy Halsey — Sun, 07 Oct 2007 21:27:02 +0000

Thanks for the suggestion, Kim. I’ve been using netstat for a long time as well on various systems. Unfortunately it doesn’t do much good when you discover the attempt in your logs two days later. I can’t see what ports were actually open at the time on my MBP, or what application(s) were serving which ports at the time which would have caused NAT-PMP to open the firewall ports in question.

By: Kim Fairlane

Kim Fairlane — Sun, 07 Oct 2007 16:30:23 +0000

Have you tried netstat from a command line prompt?
netstat is used to see what ports are being listened on and which have established connections.
I usually use this in windows and linux environments for debugging network related issues. However, I googled the netstat command for mac os x, and I think these commands can show information that might shed a light as to which app is opening these ports:
netstat -a (-A ;couldn’t understand what the difference is)
netstat -np (shows all protocols and which ports they use, without doing a namelookup on IP’s)
Here’s a link to where I found the information:
http://www.osxfaq.com/man/1/netstat.ws

BR, Kim

By: Rob

Rob — Fri, 05 Oct 2007 00:04:18 +0000

This is exactly why we use “Defense in Depth”.

By: Billy Halsey

Billy Halsey — Thu, 04 Oct 2007 23:52:42 +0000

@ Twist — The logs are showing up on my MBP, which means that these attempts are making it through my AirPort Extreme base station. That’s the problem. The MBP is blocking them, but the base station should be and I shouldn’t be seeing them in my log file at all.

@ Rob — ‘Enable NAT Port Mapping Protocol’ is checked. I suppose that would do it, then! I’m still going to fault Apple for this one, because even a techie like me turns it on thinking it necessary for any port mapping, not realizing that it’s actually the NAT-PMP alternative to uPNP. I’ve turned it off and we’ll see what happens.

False alarm or coincidence? Like I said, I don’t have any apps that I’m aware of that run on those ports. That it lasted two hours and a few odd seconds seems extra fishy.

Thanks for your help, everyone.

By: Rob

Rob — Thu, 04 Oct 2007 23:17:13 +0000

Do you have “Enable NAT Port Mapping Protocol” enabled in the base station?

By: Twist

Twist — Thu, 04 Oct 2007 22:41:01 +0000

Blocked attempts normally means that there was an attempt to access your network via that port and it was blocked by your firewall. Means it was doing its job and you shouldn't have anything to worry about.

By: Billy Halsey

Billy Halsey — Thu, 04 Oct 2007 22:18:05 +0000

@rob — I’ve got the full log at my website. (The hostname & IP in the logs are fake.)

@max — I run Little Snitch 2.0b7, but it didn’t show me anything relevant.

By: max

max — Thu, 04 Oct 2007 16:59:33 +0000

Lil’ snitch will inform you about which ports are in use by which apps on your mac.

By: Rob

Rob — Thu, 04 Oct 2007 14:43:27 +0000

can you post a couple of lines from your ipfw.log?

By: Billy Halsey

Billy Halsey — Thu, 04 Oct 2007 13:55:56 +0000

@Codepope — I considered that. The range of ports I mentioned is specifically for that purpose, and I dictate to my apps to use those ports and not to find their own. Still, there’s a possibility that an app isn’t respecting my preferences and going off punching open holes on its own.

By: Codepope

Codepope — Thu, 04 Oct 2007 13:41:16 +0000

Now check for Bittorrent clients and other apps which may use uPnP or similar to open incoming ports on the firewall. You wouldn’t happen to have one which has opened up the firewall, but not opened up the local firewall? That would look just like a DDOS….