On Thu, 12 Oct 2000, Chris Harvey wrote:
> Folks,
> I'm trying to close down some of the ports on my machine that are in the
> 1024 to 65535 range, and ideally I'd like to close them all down unless
> there is an application that I know is listening on that given port.
>
> What I see happening though is kind of interesting. If I make a DNS call or
> SMTP, or basically anything including HTTP. The initial call goes out of the
> registered port, 53, 25 and 80 respectively. However the response may come
> back in on a completely different port, usually in the range of 1037 to
> about 28xx. Is this standard TCP/IP behaviour?
>
> I'm assuming my machine is making a call into another machine on the
> registered port for the service, but also passing an alternative port number
> that a response should be sent back on.
>
This is basicly what is happening. You need to be root to open a
connection to ports below 1024, so user programs open a port in the 1024
to 65535 range, and connects to a remote machins privelaged port. The
responce comes back to the port on your machine that opened the
connection. To close off the ports, you set up rules that only allow
connections to these ports in responce to an outgoing connection. You can
limit it farther by only allowing responces form specific remote ports or
IP addresses. Here is one set of rules to allow connections to a remote
time server from my network. 64.34.45.209 is the IP of my firewall.
#
# Open the firewall for the time server.
#
ipchains -I output -i eth0 -p tcp \
-s 64.34.45.209 1024:65535 \
--destination-port 13 -j ACCEPT
ipchains -I input -i eth0 -p tcp ! -y \
--source-port 13 \
-d 64.34.45.209 1024:65535 -j ACCEPT
>
> Therefore do I have to leave a range of ports open so that these
> conversations can happen between applications without opening up the whole
> range? Is the range defined anywhere, can I define it? Anyone know of any
> sources I can read up on this?
>
> BTW: I don't have portmapper running on the machine as I heard that was for
> NFS. Is that right?
>
> Chris
>
NFS, and the "R" commands. (rlogin, rsh, etc.) Unless you realy need it,
not running portmap is a good idea! Definitly not something to run on a
firewall.
Mikkel
--
Do not meddle in the affairs of dragons,
for you are crunchy and taste good with ketchup.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
