On Fri, Mar 09, 2001 at 02:08:49PM +0100, Philipp Snizek wrote:
Hi, You could try first to open the communication to the
specific chat servers
without defining any ports. Having that you could collect some data about how the communication is set up and maintained. And then close what you don't need.
Philipp
I set the default policy to DROP. therefor I have to define some ports for accepting, or anything will go through the firewall. I don't want to define every IP which could get through.
Define the whole net. e.g. 1.2.3.0/24
also, if I accept these IPs, any SYN packets coming from there would be accepted. thats not really fine:)
So the question is: who's talking to whom? client1 requests connection (syn packet). client2 accepts (ack). But what if client2 wants to chat? You can't drop syns on client1 then. Or is it always client1 starting the conversation?
the data looks like this:
Client2 is asking Client1 for talk: Mar 8 22:30:32 skinner kernel: Firewall: IN=eth1 OUT=eth0 SRC=Client2 DST=Client1 LEN=112 TOS=0x00 PREC=0x00 TTL=127 ID=64298 PROTO=UDP SPT=4240 DPT=518 LEN=92
ok. 518 seems to be control port. you leave this one open.
this packet is ok, I can perfectly accept it because port 518 is always the same. but now its difficult.
the client1 is sending something like this: Mar 8 22:33:17 skinner kernel: Firewall: IN=eth0 OUT=eth1 SRC=Client1 DST=Client2 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=20812 DF PROTO=TCP SPT=1702 DPT=4245 WINDOW=8192 RES=0x00 SYN URGP=0
This seems to be data. what if you do something like this: accept 1024:65535 <-> 1024:65535 Question: how low can you set the hi-ports? Would be ok if you would do: accept 1024:4999 <-> 1024:4999 What port-range does the software need for data exchange?
where the SPT and DPT differs everytime.
ok.
I already thought about matching the TTL=123 and accepting this. the TTL seems to be 123 in all packets. maybe this is a possibility?
Don't know. I don't think that u use ipchains or some firewall software I know.