Re: [TCLUG:7419] firewall configuration

[David Guy Brizan <dbrizan@mr.net>]

> After searching dejanews, here's what I found. It sounds like those
> ports are used by the masquerading, but is handled internally so you
> don't need to open the ports up.

Hmm. Maybe I configured my rules badly or I don't understand the whole
business of ipchains, but I think if you are trying to create a firewall
out of your Linux box -- not just a router or ip masquerading machine --
you must open those ports (above 61000) on input. (According to the
IPCHAINS-HOWTO, ipchains checks the input chain *before* it decides
whether a packet should be masqueraded or demasqueraded.) But maybe I
misunderstand the HOWTO.

Are you using ipchains as a firewall / router: filtering input and
masquerading other machines? Are you seeing packets automatically
de-masqueraded in spite of rules on your input chain? If so, would you
share your rules with me (or a secure enough subset)? I'd love a better
set of rules than I have now!

-- 

Nothing convinces me that computing is an art so much as a bad install.

David Guy Brizan          brizan@freenet.msp.mn.us          612-814-8223


"Clayton T. Fandre" wrote:
> 
	...
> 
> After searching dejanews, here's what I found. It sounds like those
> ports are used by the masquerading, but is handled internally so you
> don't need to open the ports up. If you have your IP Masquerading
> machine behind a firewall, (different than your masquerading machine)
> you will need to open up the 61000-65096 range for it to work.
> 
> >From Dejanews <SNIP>
> 
>                       In linux/include/net/ip_masq.h there are two lines looking like
> this:   #define
>                       PORT_MASQ_BEGIN 61000
>                         #define PORT_MASQ_END  (PORT_MASQ_BEGIN+4096)
> 
>                       They mean that a kernel compiled using these
> values will use the ports between
>                       61000...61000+4096 for masquerading outgoing
> connections, i.e. when you see
>                       connections using a port out of this range as TCP
> source port you can guess they're
>                       using masquerading. It's easy to change these
> values, of course, but first most
>                       people won't change it (everything under linux/ is
> magic, don't touch it) and second,
>                       all ports in the upper range are rarely used by
> programs, so whenever you see high
>                       port numbers this may be a sign someones
> masquerading. People can't set it to low
>                       numbers, where the number usually are when a
> connection is indeed originating from a
>                       certain host, because masquerading _must_ use it's
> own pool because it can't tell the
>                       difference between a packet destined for the local
> host or for another host (for
>                       which we masquerade) other than by looking at the
> destination port. If it's in the
>                       range given in ip_masq.h, the kernel will try to
> de-masquerade it. (So if someone
>                       sets the masqerading range too low so that it
> interferes with packets that are really
>                       coming from this host these local connections
> won't work, if there are masqueraded
>                       connections that have been assigned the same port
> this masqueraded connection will
>                       most probably get messed up).
> </SNIP>
> 
> Clay
> 
> Clay Fandre
> cfandre@maddog.mn-linux.org
> Twin Cities Linux Users Group
> http://www.mn-linux.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org