But all is not lost. Several tips and tricks can aid you in creating a tight firewall. The first trick looks at the local port numbers that the system uses for outgoing connections. All TCP connections have a source port and address, and a destination port and address. If you want to control which ports connections are allowed to go out on - and thus the incoming packets you will need to allow in - you must know the port range. Otherwise, to let connections out and the reply data back in, you'll need to allow all the ports in, 65,535 of them.
Luckily, this is configurable in Linux. You can set it in the kernel:
/usr/src/linux/net/ipv4/tcp_ipv4.c /* * This array holds the first and last local port number. * For high-usage systems, use sysctl to change this to * 32768-61000 */ int sysctl_local_port_range[2] = { 1024, 4999 }; Or via the proc interface at any time (i.e. in the network startup script):
/proc/sys/net/ipv4/ip_local_port_range Basically, any outgoing connection will originate from that port range, allowing you tight control over outgoing and incoming rules.
Could you please explain closer? How does this refer to my question? How could I block trojan-client (me) -> trojan server (the attacker) using ip_local_port_range? Is this /proc filesystem feature protocol aware? BB-Zone Definition: ip_local_port_range Range of ports used by TCP and UDP to choose the local port. Contains two numbers, the first number is the lowest port, the second number the highest local port. Default is 1024-4999. Should be changed to 32768-61000 for high-usage systems. It seems to me by using this feature I only define what ports have to be used locally for connecting to servers. But there are always a number of trojans in every port range. How could I prevent these by using a none-stateful firewall? Is there a way? Philipp