process 6470 is the Logstash process (server component) running on system B.
Logstash version is 1.5.4 and logstash-forwarders are version 0.3.1
Does anyone know what these reverse connection are and why they're being made? I tried troubleshooting but since Logstash refuses to run without ssl, I can't dump the traffic.
The -> arrow in the lsof output doesn't indicate who opened the connection. Quoting the lsof(1) man page:
or the local and remote Internet addresses of a network file; the local host name or IP number is followed by a colon (':'), the port, ->, and the two-part remote address;
So, your lsof output indicates that your machine listens on the "swxadmin" port and has three established connections, one each to hosts A, B, and C.
I have rules in my iptables on system-B allowing incoming connections to port 5043 and everything works fine, but as you can see above there are outgoing connections from port 5043 which are dropped by the firewall.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.