Re: blocking RFC 793 ports 1024-49151
From: gaius.petronius (rut@linuxmail.org)Date: 02/02/02
- Next message: Hal Burgiss: "linuxsecurity.com down?"
- Previous message: willp007us: "Re: Network security info"
- In reply to: Ben Webb: "Re: blocking RFC 793 ports 1024-49151"
- Next in thread: L. Walker: "Re: blocking RFC 793 ports 1024-49151"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: rut@linuxmail.org (gaius.petronius) Date: 1 Feb 2002 18:18:41 -0800
ben@bellatrix.pcl.ox.ac.uk (Ben Webb) wrote in message news:<slrna5ku3f.9na.ben@bellatrix.pcl.ox.ac.uk>...
>
> Careful about the subversions.
Yes i am aware
Thanks, Ben
>
> Blocking port ranges is rarely the way to go. A much better solution
> is to set the chain policy (ipchains -P, I believe) to DENY and then only add
> rules to explicitly let through http, ftp and ssh traffic. It makes for much
> easier reading of your firewall ruleset too.
The problem is in the port range 1024-65535
My previous policy was to allow this range for tcp only and some
services (like DNS) failed to get udp client sockets. i then opened
up 1024-65535 for udp and seemed to have opened up a can of worms.
i then reasoned that since i am told it is impossible to know a
particular range of sockets in the 1024-65535 range for a particular
service then what options do i have? on the one hand i must open up
free sockets above 1024 (tcp/udp) for the DNS, ftp, and http requests,
and on the other hand i have these system services running:
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:37768 0.0.0.0:*
LISTEN 9695/httpd
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN 785/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:*
LISTEN 23849/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 915/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN 961/sendmail: accep
tcp 0 0 0.0.0.0:6010 0.0.0.0:*
LISTEN 32269/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:*
LISTEN 9695/httpd
tcp 1 0 172.168.0.154:21 10.1.1.97:32954
CLOSE_WAIT 23834/tcpd
tcp 0 0 172.168.0.154:22 10.1.1.97:33048
ESTABLISHED 32269/sshd
udp 0 0 0.0.0.0:111 0.0.0.0:*
785/portmap
So as you can see there are sockets in the high range.
i wanted to capture the RFC 793 sockets in the input chain and then in
my forward chain allow all in the range 1024-65535.
is this a bad way to do it?
> (Blocking high-numbered ports may affect _outgoing_ active FTP, but
> this is because ipchains has no connection tracking. I'd recommend using
> iptables for this kind of thing instead.)
>
> Ben
Yes i need to learn iptables.
as soon as i catch up that is my next move.
but right now i am not finished learning tripwire.
Thanks to all.
- Next message: Hal Burgiss: "linuxsecurity.com down?"
- Previous message: willp007us: "Re: Network security info"
- In reply to: Ben Webb: "Re: blocking RFC 793 ports 1024-49151"
- Next in thread: L. Walker: "Re: blocking RFC 793 ports 1024-49151"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
