RE: [TCLUG:7419] firewall configuration

To: tclug-list@mn-linux.org
Subject: RE: [TCLUG:7419] firewall configuration
From: Dave Sherohman <Davesh@JobBOSS.com>
Date: Tue, 10 Aug 1999 13:40:09 -0500

	Clayton T. Fandre said:
> That's a good question. I will test it out tonight and see if I can
> block pots 61000-65000 and see if everything still works. When I did a
> tcpdump yesterday I never saw anything go out on any port > 61000. I'm
> not even sure where those high-port packets would be going or coming
> from. Anyone?
> 
My understanding of how masquerading works is that when a local machine
initiates a connection to the outside, the masqing box rewrites the headers
claiming that the source port was 61000 (or some other high number) and
stores in its masq routing table that port 61000 is really port 80 on
192.168.23.42.  (This is the table that GameSpy overruns.)  The outside box
then responds to the masqing box's 61000 and the process is reversed to get
the data back to your local machine.  (In a sense, masqing behaves like
dynamic port forwarding.)

The local machines can't receive connections initiated from the outside
(without using additional modules or (standard) port forwarding) because if
a connection comes in on port 62222, the masqing box looks in the table,
doesn't find a mapping for that port and ignores the connection attempt.
The masqing machine accepts connections normally on its own ports, however,
which is why you want to either a) use firewall rules along with forwarding
or b) shut down all services on the masqing box if you have a full-time
network connection.

Again, IP masquerading provides a decent level of protection for the other
internal machines that share the gateway's IP address, but it does
absolutely nothing to protect the masquerading host itself.

As for why you haven't seen traffic listed on the high ports, Clay, I
suspect that it may be for the same reason you don't have to tell the
masqing machine to pass those ports when it's also used as a firewall:  It
knows about masquerading and automagically translates the port numbers
before doing anything else with them.  If you set up another machine on the
internet side of your masqing host and relay packets through it, I would
expect you to see the high ports there.

Follow-Ups:
- Re: [TCLUG:7419] firewall configuration
  - From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>

Prev by Date: RE: [TCLUG:7442] CD problem
Next by Date: Re: [TCLUG:7419] firewall configuration
Prev by thread: RE: [TCLUG:7430] Netscape unable to resolve host names
Next by thread: Re: [TCLUG:7419] firewall configuration
Index(es):
- Date
- Thread