Open Ports on Fremantle/N900
Hi,
i don't know if i am kinda paranoid but i like to keep my machines as closed as possible. "Closed" meaning that i do not want any ports being open (i.e. having services listening on them) on (at least) public interfaces which are not necessarily needed. I.e. for a usual browsing/internet machine i'd like to see no open ports at all. On the N900 there are at least some UDP ports open (for completeness i post the complete outputs below): Quote:
Quote:
Second it is not really nice to have that many things listening on the local address but this is not my main concern. The point which i do not like is that some services listen on all interfaces / the wildcard address. I played around a little bit and could shutdown wappushd (by removing it from the runlevels) and mafw-dbus (by messing with its start script in /usr/bin/mafw.sh). The problem with mafw-dbus is, is that it seems to be needed for the media player to work correctly. As of shutting down wappushd i did not notice a negative side effect yet. Is there any sane way to shut these services down or at least reconfigure these services to only listen on the loopback interface? Best regards, Wonko |
Re: Open Ports on Fremantle/N900
I scanned the ports you had open to the outside on my system to see the difference:
Code:
# nmap -sU -p 2948,49751,57439,1900 10.0.0.4Here's my output of your netstat command for comparison: Code:
# netstat -tunlaCode:
# lsof -i4 |
Re: Open Ports on Fremantle/N900
WTB iptables ;)
|
Re: Open Ports on Fremantle/N900
Quote:
I made similar observations: "wappushd" listens on UDP:2948 "mafw-dbus" listens on UDP:1900 Additionally "mafw-dbus" and "browser" each listen on a random unpriviledged UDP port (Edit: this port seems to be randomly assigned at boot up). In my case: mafw-dbus - UDP *:49751 browser - UDP *:57439 In your case: mafw-dbus - UDP *:61464 browser - UDP *:51687 Quote:
|
Re: Open Ports on Fremantle/N900
Quote:
I didn't find a place where to get iptables for Fremantle/N900 yet. As far as i can tell i would have to manually compile the stuff as there seems no package yet. Also iptables would be some kind of intermediate solution imho. This may be some kind of philosophic question but i think its "nicer" to have the services on a machine properly configured (i.e. only having them listen on the desired interfaces for example) then "fixing" strangely configured services afterwards by e.g. denying access via iptables. Anyway, this solution would also work as a temporary fix. |
Re: Open Ports on Fremantle/N900
Agreed, having stuff only listen where necessary is the most elegant solution.
There are some iptables binaries around but I'm not sure whether they're functional (I know the kernel is missing nat support and such). These are totally unsupported and such, but there's an iptables .deb here if you're willing to risk it. |
Re: Open Ports on Fremantle/N900
Alright i think i found some tweaks to get rid of at least some of the offending services.
Of course whenever changing or deleting something i assume you do have backups. ;) wappushd: Code:
update-rc.d -f wappushd removeCode:
mv /usr/lib/mafw-plugin/mafw-upnp-source.so backup/usr/lib/mafw-plugin/This approach is kinda "safe" because of the way the mafw plugins are loaded via "/etc/X11/Xsession.post/32mafw". This script simply iterates over all *.so files found in "/usr/lib/mafw-plugin" and loads these. browser: First i thought i had this one eliminated as well but it appears to just start very late after a reboot. So this is still left for now. Side effects: For now i couldn't notice any negative side effects so far. We'll see how this keeps going (i'll let you know as soon as i encounter strange behavior which can be tracked down to the above changes). Happy New Year all! :) |
Re: Open Ports on Fremantle/N900
Does anyone know what 'wappushd' does? It's got a suspicious name.. I would like to know if I want to get rid of it too.
|
Re: Open Ports on Fremantle/N900
Suspicious yeah .. wap and push this basically gives an idea of what it is supposed to do ;)
But don't ask me what this daemon is really for. ;) In "/etc/dbus-1/system.d/wappushd_policy.conf" there is some dbus config stuff with respect to wappushd but i didn't touch dbus for quite a long time so i'm kinda rusted in that topic. |
Re: Open Ports on Fremantle/N900
Well finally i also found at least some solution for the browser issue.
The solution is to simply install a different webbrowser (i choose midori for now) and use browser switchboard to set it as the default browser. After a reboot there is no browser process listening on random sockets. Some more notes: "browser" not only listens on UDP but after some webbrowsing also had other ports open, even on TCP. Here again i'm not talking about the browser opening connections to the "outside" but the browser process itself opening a socket and actively listening for "incoming" connections. Also the browser process is running in the background and kept the ports open even after closing the "browser window". As far as i can tell this behavior is related to the way Fremantle is handling the built in browser. I.e. it has split up the browser in some "daemon" part which is running in the background and handles the actual browsing etc. and some "frontend" which displays the actual GUI window. Still it feels kind of strange to see my web browser opening/listening on sockets. The browser process is a child process of "maemo-launcher" which also takes care of restarting the process if browser is killed manually. According to the documentation maemo-launcher is used to speed up loading of applications (http://maemomm.garage.maemo.org/docs...html/ch07.html). In fact you should be very careful when messing with maemo-launcher and especially the statrtup script in "/etc/X11/Xsession.d/02maemo-launcher" as you can easily "brick" your device and need to reflash it to fix it (guess why i know this ;)). So far... Best regards, Wonko |
Re: Open Ports on Fremantle/N900
It might be worth logging these as bugs (against each application separately). If there is a good reason to have the ports open it will probably be closed as WONTFIX but if it is an oversight (and they should really only be listening on the loopback interface) then they sound like bugs which should be fixed.
If you log the bugs, list them here so anyone else who cares can go and vote for them. Graham |
Re: Open Ports on Fremantle/N900
Thanks for the hint, i added the according bug reports:
https://bugs.maemo.org/show_bug.cgi?id=7619 https://bugs.maemo.org/show_bug.cgi?id=7620 https://bugs.maemo.org/show_bug.cgi?id=7621 Best regards Wonko |
Re: Open Ports on Fremantle/N900
Quote:
|
Re: Open Ports on Fremantle/N900
I was reading up about WAP PUSH. I wonder why there should be support for that at all on this device. It accesses the real internet after all, not that old WAP rubbish.
|
Re: Open Ports on Fremantle/N900
WAP push is not WAP. It's a means for e.g. software installation by your carrier. E.g. T-Online's mobile banking client installs per WAP push (but not on the N900 since it's Java). There's a daemon listening because the N900 is a phone.
The 1900 UDP port is for listening to SSDP broadcast messages used by UPnP. If you close this port, your N900 won't be able to find UPnP devices on the network anymore, provided you have some. |
Re: Open Ports on Fremantle/N900
OK. But I don't see how the carrier can push software installations to random phone devices, they're all having different operating systems. My carrier has (in the past) pushed stuff which has been loaded into the SIM card though. Is that through the same mechanism? It sounds a bit unlikely because this used to happen to my very old phone which was before WAP was even invented.
|
Re: Open Ports on Fremantle/N900
Java MIDlets usually work on many phones. The carrier won't push without your permission or request usually, though.
|
| All times are GMT. The time now is 21:22. |
vBulletin® Version 3.8.8