TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:7419] firewall configuration
> After searching dejanews, here's what I found. It sounds like those
> ports are used by the masquerading, but is handled internally so you
> don't need to open the ports up.
Hmm. Maybe I configured my rules badly or I don't understand the whole
business of ipchains, but I think if you are trying to create a firewall
out of your Linux box -- not just a router or ip masquerading machine --
you must open those ports (above 61000) on input. (According to the
IPCHAINS-HOWTO, ipchains checks the input chain *before* it decides
whether a packet should be masqueraded or demasqueraded.) But maybe I
misunderstand the HOWTO.
Are you using ipchains as a firewall / router: filtering input and
masquerading other machines? Are you seeing packets automatically
de-masqueraded in spite of rules on your input chain? If so, would you
share your rules with me (or a secure enough subset)? I'd love a better
set of rules than I have now!
--
Nothing convinces me that computing is an art so much as a bad install.
David Guy Brizan brizan@freenet.msp.mn.us 612-814-8223
"Clayton T. Fandre" wrote:
>
...
>
> After searching dejanews, here's what I found. It sounds like those
> ports are used by the masquerading, but is handled internally so you
> don't need to open the ports up. If you have your IP Masquerading
> machine behind a firewall, (different than your masquerading machine)
> you will need to open up the 61000-65096 range for it to work.
>
> >From Dejanews <SNIP>
>
> In linux/include/net/ip_masq.h there are two lines looking like
> this: #define
> PORT_MASQ_BEGIN 61000
> #define PORT_MASQ_END (PORT_MASQ_BEGIN+4096)
>
> They mean that a kernel compiled using these
> values will use the ports between
> 61000...61000+4096 for masquerading outgoing
> connections, i.e. when you see
> connections using a port out of this range as TCP
> source port you can guess they're
> using masquerading. It's easy to change these
> values, of course, but first most
> people won't change it (everything under linux/ is
> magic, don't touch it) and second,
> all ports in the upper range are rarely used by
> programs, so whenever you see high
> port numbers this may be a sign someones
> masquerading. People can't set it to low
> numbers, where the number usually are when a
> connection is indeed originating from a
> certain host, because masquerading _must_ use it's
> own pool because it can't tell the
> difference between a packet destined for the local
> host or for another host (for
> which we masquerade) other than by looking at the
> destination port. If it's in the
> range given in ip_masq.h, the kernel will try to
> de-masquerade it. (So if someone
> sets the masqerading range too low so that it
> interferes with packets that are really
> coming from this host these local connections
> won't work, if there are masqueraded
> connections that have been assigned the same port
> this masqueraded connection will
> most probably get messed up).
> </SNIP>
>
> Clay
>
> Clay Fandre
> cfandre@maddog.mn-linux.org
> Twin Cities Linux Users Group
> http://www.mn-linux.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org