Any networking gurus out there willing to answer a few questions from a
RedHat Linux user?
I'd like to understand why my system (RedHat 5.2, Linux hostname 2.0.36
#1 Tue Dec 29 13:11:13 EST 1998 i586 unknown) is opening a raw inet
socket on port 1. E.g.,
$ netstat -a --inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address
raw 0 0 *:1 *:*
None of the online resources or books I've seen (I spent the morning
browsing through TCP/IP Illustrated and a number of Linux networking
references) seem to talk much about AF_INET, SOCK_RAW ports. I think I
understand what types of sockets exist, but my questions are:
1) What are the security implications of opening this port when
connected to the Internet?
2) I can list what processes are running (ps auxww) and what inet
sockets are open (netstat -a --inet), but how do I list which processes
have opened which sockets?
3) I've read about IP (RFC 791, 950, 919, 922), ARP (RFC 826), ICMP (RFC
792), UDP (RFC 768), TCP (RFC 793), BSD sockets and SVR4 STREAMS, but
I'm still having a hard time putting it all together. I'm at the point
where I can't see the forest for the trees. Can anyone recommend a good
expert reference book? Should I shell out the bucks for TCP/IP
Illustrated? (Anyone want to sell a used copy?) Should I just memorize
the RFCs and meditate until I reach higher consciousness?
I know about the ISO layers, but I'm confused how all of these protocols
map on top of each other, and how the kernel, modules and user programs
divide up the tasks between getting information from the user and
sending a packet on the wire, and vice versa. For example, I'm assuming
the inet port for a SOCK_STREAM, SOCK_DGRAM, or SOCK_RAW packet is
tucked into the IP packet somehow, but what about ICMP and ARP? Are
ICMP messages sent in IP packets? Do they have ports?
Who opens up each IP packet to see what's in it -- the kernel, a module,
or a user program? Who exactly deals with ICMP? (If you can't tell,
I'm not a kernel hacker. If theses questions seem stupid, please
forgive my ignorance and point me to a source of wisdom.)
4) I'm looking for maybe ten pages of information that would explain in
reasonable detail what protocols a Linux box on an Ethernet connected to
the Internet needs to speak, and which programs are responsible for
which parts. For example, I know that I need to be able to send and
receive IP, but it's a little vague to me what part of Linux does that,
and if I can upgrade that part independently from, say, the part that
handles virtual memory.
Where can I find this online? So far, I've done searches in InfoSeek,
HotBot, Yahoo, the Mozilla directory, Google, and DejaNews. I've also
http://metalab.unc.edu/LDP/LDP/sag/index.html, and a bunch of others.
Yes, I did RTFM for kerneld, netstat, ifconfig, arp, init and route.
And I have read the above-referenced RFCs at
Thanks for the bandwidth,
P.S. If you're running RedHat Linux 5.1 or below, I'd highly recommend
reading http://www.cert.org/advisories/CA-98.12.mountd.html. Someone
over the Internet got root on two RedHat systems I'm responsible for.
It was not fun.