hi, sorry it took me so long to reply, i was out of office for a while. with regards to your reply, i have a couple of questions... also sprach Andrew McGill (on Tue, 16 Jan 2001 02:12:52PM +0200):
# Which ports do programs use for unbound traffic: LOWPORT=10001 HIGHPORT=20000 # For the input chain (I jumped to server_i) echo "$LOWPORT $HIGHPORT" > /proc/sys/net/ipv4/ip_local_port_range ipchains --append server_i -p TCP --dport $LOWPORT:$HIGHPORT -j ACCEPT ipchains --append server_i -p UDP --dport $LOWPORT:$HIGHPORT -j ACCEPT # # other rules for services we expose go here (including ICMP's not shown) ipchains --append server_i -p TCP --dport 22 -j ACCEPT ipchains --append server_i -j DENY
So, the server is allowed to make ANY outgoing connections it pleases, but there is no requirement to expose common services in the >1024 port range (e.g. mysql at 3306). It is a good idea to do this BEFORE starting services that make connections, since they will have the data denied if they use ports in the range 1024-4096 as is default.
i don't think i understand how that works. what does /proc/sys/net/ipv4/ip_local_port_range control? and what is the idea behind this approach? thanks, martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- xerox does it again and again and again and ...