# Gentoo Firewall - Strange Denies (Port 6112)

## Crimjob

Hey guys,

I've been working on further securing my box, and I've recently started paying much more attention to my firewall denies. Recently, I started getting these strange results from a specific IP always trying to access my machine on port 6112. Unfortunately, the IP address belongs to the range for my CoLo host, but they state since my firewall is working they don't see it as an issue. I think it's shady activity but if it's not hurting anyone why would they want to investigate of course.

```
[26311090.113989] RULE 4 -- DENY IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:83:61:9c:08:00 SRC=64.85.164.49 DST=255.255.255.255 LEN=142 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=34735 DPT=6112 LEN=122

[26311090.138279] RULE 4 -- DENY IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:83:61:9c:08:00 SRC=64.85.164.49 DST=255.255.255.255 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=34439 DPT=6112 LEN=141

[26311092.134484] RULE 4 -- DENY IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:83:61:9c:08:00 SRC=64.85.164.49 DST=255.255.255.255 LEN=142 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=52581 DPT=6112 LEN=122

[26311094.112628] RULE 4 -- DENY IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:83:61:9c:08:00 SRC=64.85.164.49 DST=255.255.255.255 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=44871 DPT=6112 LEN=132

[26311094.129588] RULE 4 -- DENY IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1c:c0:83:61:9c:08:00 SRC=64.85.164.49 DST=255.255.255.255 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=60970 DPT=6112 LEN=126

```

What I don't get is the context. I know the source IP belongs to my CoLo's subnet. I don't know what port 6112 could be used for (other than a WoW Server)? And how on earth is the destination 255.255.255.255 hitting my IP? And what's up with the super long MAC? The source port is different almost every time, but the destination is always 6112.

I'm still fairly new to the security world, so I'm hoping someone out there knows what might be going on here / what "64.85.164.49" is trying to accomplish.

----------

## whig

I wonder if those are broadcast packets. If so all the customer modems of your local isp would get them not just you.

----------

## Crimjob

I thought similar, but keep in mind this is a CoLo on a backbone, no modems in the mix here, and no reason another customer should be broadcasting anything like that.

I still can't figure out what that port would be used for or why it would be broadcasting on the network. The server does seem quite insecure however.

----------

## Hu

Those look like broadcasts to me, too.  If you are curious, capture some of them and inspect them.

----------

## cach0rr0

 *Crimjob wrote:*   

> I thought similar, but keep in mind this is a CoLo on a backbone, no modems in the mix here, and no reason another customer should be broadcasting anything like that.
> 
> 

 

I'm sure they have people on the same physical switch. I would not be surprised if someone was hosting a gaming server of some sort. 

Nothing there would really concern me honestly.

----------

## Crimjob

Haha! I do packet captures every day at work and it didn't even occur to me to try it on these. Thanks for the suggestion, I think I'll give that a try.

----------

