Hi Everyone, Just to follow up and close on this thread. UDP Port 4500 was indeed part of the kernel. It can be controlled with sysctl.conf settings and in particular the net.inet.esp.udpencap. When I set this to =NO the port is no longer active. (it is important which is why part of kernel and on by default but I just wanted to understand to control it)
Here are these esp settings (from man sysctl): net.inet.esp.enable net.inet.esp.udpencap net.inet.esp.udpencap_port UDP Port 623 had nothing to do with OpenBSD and was part of the hardware. It is part of Intelligent Platform Management Interface (IPMI) and it cannot always be disabled. If it is possible to disable it the option is through the BIOS. Here is some info on it: http://www.itworld.com/article/2708437/security/ipmi--the-most-dangerous-protocol-you-ve-never-heard-of.html http://wiki.networksecuritytoolkit.org/index.php/Tunnelling_UDP_Traffic_Through_An_SSH_Connection https://www.us-cert.gov/ncas/alerts/TA13-207A -------- Original Message -------- Subject: Unable to disable UDP ports 623 and 4500 Local Time: November 15, 2016 9:44 PM UTC Time: November 16, 2016 5:44 AM From: fo...@protonmail.ch To: misc@openbsd.org <misc@openbsd.org> Hi All, I am exploring locking down an OpenBSD 6.0 server running on a Thinkpad w510 with a i7-q720 processor. I believe I have turned off everything except dhcp and sshd. When I run a netstat I don't see any services running. I have set everything =NO in the rc.conf.local (except dhcp and ssh). However, when I port scan the machine I still see UDP ports 623 and 4500 open. I found this article that recommended disabling using mobike=NO in ipsec.conf but I cannot find anything in man page and tried it anyway and no change. Any thoughts or ideas? Below are the port scan and the netstat from the server: Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-15 21:28 PST Nmap scan report for 192.168.0.127 Host is up (0.0042s latency). Not shown: 998 closed ports PORT STATE SERVICE 623/udp open|filtered asf-rmcp 4500/udp open|filtered nat-t-ike MAC Address: F0:DE:F1:48:D2:10 (Wistron InfoComm (Kunshan)Co) Nmap done: 1 IP address (1 host up) scanned in 173.95 seconds # netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) ip 0 0 *.* *.* 17 Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 192.168.0.127.ssh 192.168.0.112.33356 ESTABLISHED tcp 0 0 *.ssh *.* LISTEN Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp6 0 0 *.ssh *.* LISTEN Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr 0xffff8000003a2b00 stream 0 0 0x0 0xffff8000003a2b80 0x0 0x0 0xffff8000005d4800 stream 0 0 0x0 0xffff8000005d4200 0x0 0x0 0xffff8000005d4200 stream 0 0 0x0 0xffff8000005d4800 0x0 0x0 0xffff8000003a2b80 stream 0 0 0x0 0xffff8000003a2b00 0x0 0x0 #
