TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:7419] firewall configuration



You are totally right. Outgoing packets have a new source address as
well as a new source port, which is above 61000. Here is a tcpdump of my
ip masq system during a www connection. (hacked up a little for
readability)

The internal interface:
14:04:28.090280 pippen.4180 > core.freshmeat.net.80:
14:04:30.540280 core.freshmeat.net.80 > pippen.4180: 
14:04:30.540280 pippen.4180 > core.freshmeat.net.80:

The external interface:
14:04:27.490280 137.16.13.115.61744 > 209.207.168.124.80: 
14:04:27.690280 209.207.168.124.80 > 137.16.13.115.61744: 
14:04:27.900280 137.16.13.115.61744 > 209.207.168.124.80:

pippen being my internal workstation, 138.16.13.115 being my ip masq
machine, and 209.207.168.124 being freshmeat.net.


Dave Sherohman wrote:
> 
>         Clayton T. Fandre said:
> > That's a good question. I will test it out tonight and see if I can
> > block pots 61000-65000 and see if everything still works. When I did a
> > tcpdump yesterday I never saw anything go out on any port > 61000. I'm
> > not even sure where those high-port packets would be going or coming
> > from. Anyone?
> >
> My understanding of how masquerading works is that when a local machine
> initiates a connection to the outside, the masqing box rewrites the headers
> claiming that the source port was 61000 (or some other high number) and
> stores in its masq routing table that port 61000 is really port 80 on
> 192.168.23.42.  (This is the table that GameSpy overruns.)  The outside box
> then responds to the masqing box's 61000 and the process is reversed to get
> the data back to your local machine.  (In a sense, masqing behaves like
> dynamic port forwarding.)
> 
> The local machines can't receive connections initiated from the outside
> (without using additional modules or (standard) port forwarding) because if
> a connection comes in on port 62222, the masqing box looks in the table,
> doesn't find a mapping for that port and ignores the connection attempt.
> The masqing machine accepts connections normally on its own ports, however,
> which is why you want to either a) use firewall rules along with forwarding
> or b) shut down all services on the masqing box if you have a full-time
> network connection.
> 
> Again, IP masquerading provides a decent level of protection for the other
> internal machines that share the gateway's IP address, but it does
> absolutely nothing to protect the masquerading host itself.
> 
> As for why you haven't seen traffic listed on the high ports, Clay, I
> suspect that it may be for the same reason you don't have to tell the
> masqing machine to pass those ports when it's also used as a firewall:  It
> knows about masquerading and automagically translates the port numbers
> before doing anything else with them.  If you set up another machine on the
> internet side of your masqing host and relay packets through it, I would
> expect you to see the high ports there.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org

-- 
Clay Fandre
cfandre@maddog.mn-linux.org
Twin Cities Linux Users Group
http://www.mn-linux.org