TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:7419] firewall configuration
"Clayton T. Fandre" wrote:
>
> David Guy Brizan wrote:
> >
> > > No you do not need to open up a hole above 61000. I never heard that and
> > > I would be interested in where you got that information. IP Masquerading
> > > doesn't use any ports to work. The three command is all you need to get
> > > it going.
> >
> > I got that information from the PortSentry documentation (on your
> > recommendation, actually), specifically portsentry.conf:
> >
> > # On many Linux systems you cannot bind above port 61000. This is because
> > # these ports are used as part of IP masquerading [....]
>
> Anyone else ever hear of this? I never heard of this and never had any
> problems.
After searching dejanews, here's what I found. It sounds like those
ports are used by the masquerading, but is handled internally so you
don't need to open the ports up. If you have your IP Masquerading
machine behind a firewall, (different than your masquerading machine)
you will need to open up the 61000-65096 range for it to work.
From Dejanews <SNIP>
In linux/include/net/ip_masq.h there are two lines looking like
this: #define
PORT_MASQ_BEGIN 61000
#define PORT_MASQ_END (PORT_MASQ_BEGIN+4096)
They mean that a kernel compiled using these
values will use the ports between
61000...61000+4096 for masquerading outgoing
connections, i.e. when you see
connections using a port out of this range as TCP
source port you can guess they're
using masquerading. It's easy to change these
values, of course, but first most
people won't change it (everything under linux/ is
magic, don't touch it) and second,
all ports in the upper range are rarely used by
programs, so whenever you see high
port numbers this may be a sign someones
masquerading. People can't set it to low
numbers, where the number usually are when a
connection is indeed originating from a
certain host, because masquerading _must_ use it's
own pool because it can't tell the
difference between a packet destined for the local
host or for another host (for
which we masquerade) other than by looking at the
destination port. If it's in the
range given in ip_masq.h, the kernel will try to
de-masquerade it. (So if someone
sets the masqerading range too low so that it
interferes with packets that are really
coming from this host these local connections
won't work, if there are masqueraded
connections that have been assigned the same port
this masqueraded connection will
most probably get messed up).
</SNIP>
Clay
Clay Fandre
cfandre@maddog.mn-linux.org
Twin Cities Linux Users Group
http://www.mn-linux.org