hi list, is it possible to accept the "talk" application in any way? I tried to -j ACCEPT the udp port but talk isn't really using these ports for chatting. only the first packets are over udp 518 for example. then the client (remote) sends a new packet (syn) with totally different ports. does anyone has a solve? marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
Hi, You could try first to open the communication to the specific chat servers without defining any ports. Having that you could collect some data about how the communication is set up and maintained. And then close what you don't need. Philipp
hi list,
is it possible to accept the "talk" application in any way? I tried to -j ACCEPT the udp port but talk isn't really using these ports for chatting. only the first packets are over udp 518 for example. then the client (remote) sends a new packet (syn) with totally different ports. does anyone has a solve?
marco
-- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Fri, Mar 09, 2001 at 02:08:49PM +0100, Philipp Snizek wrote:
Hi, You could try first to open the communication to the specific chat servers without defining any ports. Having that you could collect some data about how the communication is set up and maintained. And then close what you don't need.
Philipp
I set the default policy to DROP. therefor I have to define some ports for accepting, or anything will go through the firewall. I don't want to define every IP which could get through. also, if I accept these IPs, any SYN packets coming from there would be accepted. thats not really fine:) the data looks like this: Client2 is asking Client1 for talk: Mar 8 22:30:32 skinner kernel: Firewall: IN=eth1 OUT=eth0 SRC=Client2 DST=Client1 LEN=112 TOS=0x00 PREC=0x00 TTL=127 ID=64298 PROTO=UDP SPT=4240 DPT=518 LEN=92 this packet is ok, I can perfectly accept it because port 518 is always the same. but now its difficult. the client1 is sending something like this: Mar 8 22:33:17 skinner kernel: Firewall: IN=eth0 OUT=eth1 SRC=Client1 DST=Client2 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=20812 DF PROTO=TCP SPT=1702 DPT=4245 WINDOW=8192 RES=0x00 SYN URGP=0 where the SPT and DPT differs everytime. I already thought about matching the TTL=123 and accepting this. the TTL seems to be 123 in all packets. maybe this is a possibility? Marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
On Fri, Mar 09, 2001 at 02:08:49PM +0100, Philipp Snizek wrote:
Hi, You could try first to open the communication to the
specific chat servers
without defining any ports. Having that you could collect some data about how the communication is set up and maintained. And then close what you don't need.
Philipp
I set the default policy to DROP. therefor I have to define some ports for accepting, or anything will go through the firewall. I don't want to define every IP which could get through.
Define the whole net. e.g. 1.2.3.0/24
also, if I accept these IPs, any SYN packets coming from there would be accepted. thats not really fine:)
So the question is: who's talking to whom? client1 requests connection (syn packet). client2 accepts (ack). But what if client2 wants to chat? You can't drop syns on client1 then. Or is it always client1 starting the conversation?
the data looks like this:
Client2 is asking Client1 for talk: Mar 8 22:30:32 skinner kernel: Firewall: IN=eth1 OUT=eth0 SRC=Client2 DST=Client1 LEN=112 TOS=0x00 PREC=0x00 TTL=127 ID=64298 PROTO=UDP SPT=4240 DPT=518 LEN=92
ok. 518 seems to be control port. you leave this one open.
this packet is ok, I can perfectly accept it because port 518 is always the same. but now its difficult.
the client1 is sending something like this: Mar 8 22:33:17 skinner kernel: Firewall: IN=eth0 OUT=eth1 SRC=Client1 DST=Client2 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=20812 DF PROTO=TCP SPT=1702 DPT=4245 WINDOW=8192 RES=0x00 SYN URGP=0
This seems to be data. what if you do something like this: accept 1024:65535 <-> 1024:65535 Question: how low can you set the hi-ports? Would be ok if you would do: accept 1024:4999 <-> 1024:4999 What port-range does the software need for data exchange?
where the SPT and DPT differs everytime.
ok.
I already thought about matching the TTL=123 and accepting this. the TTL seems to be 123 in all packets. maybe this is a possibility?
Don't know. I don't think that u use ipchains or some firewall software I know.
On Fri, Mar 09, 2001 at 03:21:50PM +0100, Philipp Snizek wrote:
Client2 is asking Client1 for talk: Mar 8 22:30:32 skinner kernel: Firewall: IN=eth1 OUT=eth0 SRC=Client2 DST=Client1 LEN=112 TOS=0x00 PREC=0x00 TTL=127 ID=64298 PROTO=UDP SPT=4240 DPT=518 LEN=92
ok. 518 seems to be control port. you leave this one open.
yes, thats no problem.
the client1 is sending something like this: Mar 8 22:33:17 skinner kernel: Firewall: IN=eth0 OUT=eth1 SRC=Client1 DST=Client2 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=20812 DF PROTO=TCP SPT=1702 DPT=4245 WINDOW=8192 RES=0x00 SYN URGP=0
This seems to be data. what if you do something like this: accept 1024:65535 <-> 1024:65535 Question: how low can you set the hi-ports? Would be ok if you would do: accept 1024:4999 <-> 1024:4999
What port-range does the software need for data exchange?
the software seems to use 1700:1800 and 4200:4300. but I don't really want to open all these ports. :) we'll.. I think before I open the ports with these great ranges.. I`ll deny this chat :)
I already thought about matching the TTL=123 and accepting this. the TTL seems to be 123 in all packets. maybe this is a possibility?
Don't know. I don't think that u use ipchains or some firewall software I know.
I'm using iptables1.2 (netfilter.kernelnotes.org). It has very nice extensions like string matching, ttl matching and connection tracking for example. have a look at it :) Marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
participants (2)
-
Marco Ahrendt
-
Philipp Snizek