Hi Mikkel
I've dug up an old email I had saved since I am finally getting around to
setting up a new firewall for myself. I'd like to take the approach of
shutting off *everything* and then only opening up those that I need to -
including the >1023 range. I have a few questions if you don't mind
please.
On Thu, 12 Oct 2000, Mikkel L. Ellertson wrote:
> On Thu, 12 Oct 2000, Chris Harvey wrote:
>
> > Folks,
> > I'm trying to close down some of the ports on my machine that are in the
> > 1024 to 65535 range, and ideally I'd like to close them all down unless
> > there is an application that I know is listening on that given port.
> >
> > What I see happening though is kind of interesting. If I make a DNS call or
> > SMTP, or basically anything including HTTP. The initial call goes out of the
> > registered port, 53, 25 and 80 respectively. However the response may come
> > back in on a completely different port, usually in the range of 1037 to
> > about 28xx. Is this standard TCP/IP behaviour?
> >
> > I'm assuming my machine is making a call into another machine on the
> > registered port for the service, but also passing an alternative port number
> > that a response should be sent back on.
> >
> This is basicly what is happening. You need to be root to open a
> connection to ports below 1024, so user programs open a port in the 1024
> to 65535 range, and connects to a remote machins privelaged port. The
> responce comes back to the port on your machine that opened the
> connection. To close off the ports, you set up rules that only allow
> connections to these ports in responce to an outgoing connection.
Isn't this what a real stateful firewall does? I thought this couldn't be
done with ipchains. How do you do this?
> You can
> limit it farther by only allowing responces form specific remote ports or
> IP addresses. Here is one set of rules to allow connections to a remote
> time server from my network. 64.34.45.209 is the IP of my firewall.
>
> #
> # Open the firewall for the time server.
> #
> ipchains -I output -i eth0 -p tcp \
> -s 64.34.45.209 1024:65535 \
> --destination-port 13 -j ACCEPT
>
> ipchains -I input -i eth0 -p tcp ! -y \
> --source-port 13 \
> -d 64.34.45.209 1024:65535 -j ACCEPT
Now this I understand! I like it. Would you be willing to share the
rest of your firewall rules? I like to think it will save me a lot of time
figuring out what ports get used by what services (yes I have looked at
http://www.isi.edu/in-notes/iana/assignments/port-numbers).
Also, care to comment on the whether to REJECT or DENY packets? I remember
you saying it's best to REJECT for ident/auth, but is it best to DENY for
all the others? I believe I understand the difference well enough. My
current feeling is that DENY is better simply because you are not drawing
attention to yourself (by not responding).
On a related note, can anyone tell me what this port is
used for
svrloc 427/tcp Server Location
svrloc 427/udp Server Location
thanks
charles
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
