Re: [TCLUG:7419] firewall configuration

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:7419] firewall configuration
From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>
Date: Mon, 09 Aug 1999 15:04:05 -0500
References: <37AEF805.3F853C76@mr.net> <37AF1240.37A80ADE@maddog.mn-linux.org> <37AF2933.875DC2FB@mr.net>
Sender: linus@cfsmo.honeywell.com

David Guy Brizan wrote:
> 
> > No you do not need to open up a hole above 61000. I never heard that and
> > I would be interested in where you got that information. IP Masquerading
> > doesn't use any ports to work. The three command is all you need to get
> > it going.
> 
> I got that information from the PortSentry documentation (on your
> recommendation, actually), specifically portsentry.conf:
> 
> # On many Linux systems you cannot bind above port 61000. This is because
> # these ports are used as part of IP masquerading [....]

Anyone else ever hear of this? I never heard of this and never had any
problems.

> 
> And when I originally configured my firewall, I saw requests go out on the
> well-known ports (80 for www, for example) but they returned on really high
> ports. (Or was it the other way around? It's been so long since I did this.)
> Am I hallucinating? (Or maybe, because I log almost every packet into my
> network, I notice this and others don't?) Has no one else seen this?

This gets into how TCP/IP works. The well-known ports are usually
destination ports. When you connect to a web server, you are usually
connecting to port 80 on that system. The return connection is NOT on
port 80, but on a random higher-port. This is all taken care of in IP
Masquerading. You only need to worry about the outbound connections. If
IP Masquerading didn't see a connection originate inside, it won't allow
it. (by default) You can check out what is going on by using tcpdump.

Start up tcpdump in an xterm:
#tcpdump host www.mn-linux.org
Then connect to http://www.mn-linux.org in your favorite web browser,
and watch the connection back and forth.

> 
> Yes, the three-line command is all you need to get IP masquerading going,
> but it also leaves all your server's ports open. It's not a huge deal if
> you're using a ppp connexion, IMHO, but if you have a static IP or your box
> is up most of the time (like mine), this three-line command is an attack
> waiting to happen. (I can give very painful stories, if anyone needs to be
> convinced.)

Once again, if all you do is enable IP Masquerading, you don't need to
worry because only out-bound connections are allowed. All inbound
connections are dropped due to the default policy of DENY ALL.

-- 
Clay Fandre
cfandre@maddog.mn-linux.org
Twin Cities Linux Users Group
http://www.mn-linux.org

Follow-Ups:
- Re: [TCLUG:7419] firewall configuration
  - From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>

References:
- firewall configuration
  - From: David Guy Brizan <dbrizan@mr.net>
- Re: [TCLUG:7419] firewall configuration
  - From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>
- Re: [TCLUG:7419] firewall configuration
  - From: David Guy Brizan <dbrizan@mr.net>

Prev by Date: Re: [TCLUG:7431] Linux-friendly graphics card??
Next by Date: Re: [TCLUG:7412] Linux sound output
Prev by thread: Re: [TCLUG:7419] firewall configuration
Next by thread: Re: [TCLUG:7419] firewall configuration
Index(es):
- Date
- Thread