Mailinglist Archive: opensuse-security (564 mails)

< Previous Next >
Re: [suse-security] ftp/firewall security
  • From: MaD dUCK <madduck@xxxxxxxxxxx>
  • Date: Sat, 20 Jan 2001 21:55:00 +0100
  • Message-id: <20010120215500.B6331@xxxxxxxxxxx>
hi,
sorry it took me so long to reply, i was out of office for a while.
with regards to your reply, i have a couple of questions...

also sprach Andrew McGill (on Tue, 16 Jan 2001 02:12:52PM +0200):
> # Which ports do programs use for unbound traffic:
> LOWPORT=10001
> HIGHPORT=20000
> # For the input chain (I jumped to server_i)
> echo "$LOWPORT $HIGHPORT" > /proc/sys/net/ipv4/ip_local_port_range
> ipchains --append server_i -p TCP --dport $LOWPORT:$HIGHPORT -j ACCEPT
> ipchains --append server_i -p UDP --dport $LOWPORT:$HIGHPORT -j ACCEPT
> #
> # other rules for services we expose go here (including ICMP's not shown)
> ipchains --append server_i -p TCP --dport 22 -j ACCEPT
> ipchains --append server_i -j DENY
>
> So, the server is allowed to make ANY outgoing connections it pleases, but
> there is no requirement to expose common services in the >1024 port range
> (e.g. mysql at 3306). It is a good idea to do this BEFORE starting
> services that make connections, since they will have the data denied if
> they use ports in the range 1024-4096 as is default.

i don't think i understand how that works. what does
/proc/sys/net/ipv4/ip_local_port_range control?

and what is the idea behind this approach?

thanks,
martin

[greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net
--
xerox does it again and again and again and ...

< Previous Next >
References