TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:7419] firewall configuration

"Clayton T. Fandre" wrote:
> 
> David Guy Brizan wrote:
> >
> > > No you do not need to open up a hole above 61000. I never heard that and
> > > I would be interested in where you got that information. IP Masquerading
> > > doesn't use any ports to work. The three command is all you need to get
> > > it going.
> >
> > I got that information from the PortSentry documentation (on your
> > recommendation, actually), specifically portsentry.conf:
> >
> > # On many Linux systems you cannot bind above port 61000. This is because
> > # these ports are used as part of IP masquerading [....]
> 
> Anyone else ever hear of this? I never heard of this and never had any
> problems.


After searching dejanews, here's what I found. It sounds like those
ports are used by the masquerading, but is handled internally so you
don't need to open the ports up. If you have your IP Masquerading
machine behind a firewall, (different than your masquerading machine)
you will need to open up the 61000-65096 range for it to work.

From Dejanews <SNIP>

		      In linux/include/net/ip_masq.h there are two lines looking like
this:   #define
                      PORT_MASQ_BEGIN 61000
                        #define PORT_MASQ_END  (PORT_MASQ_BEGIN+4096)
                       
                      They mean that a kernel compiled using these
values will use the ports between
                      61000...61000+4096 for masquerading outgoing
connections, i.e. when you see
                      connections using a port out of this range as TCP
source port you can guess they're
                      using masquerading. It's easy to change these
values, of course, but first most
                      people won't change it (everything under linux/ is
magic, don't touch it) and second,
                      all ports in the upper range are rarely used by
programs, so whenever you see high
                      port numbers this may be a sign someones
masquerading. People can't set it to low
                      numbers, where the number usually are when a
connection is indeed originating from a
                      certain host, because masquerading _must_ use it's
own pool because it can't tell the
                      difference between a packet destined for the local
host or for another host (for
                      which we masquerade) other than by looking at the
destination port. If it's in the
                      range given in ip_masq.h, the kernel will try to
de-masquerade it. (So if someone
                      sets the masqerading range too low so that it
interferes with packets that are really
                      coming from this host these local connections
won't work, if there are masqueraded
                      connections that have been assigned the same port
this masqueraded connection will
                      most probably get messed up).
</SNIP>

Clay


Clay Fandre
cfandre@maddog.mn-linux.org
Twin Cities Linux Users Group
http://www.mn-linux.org