9 May
2001
9 May
'01
12:16
On Wednesday 09 May 2001 12:20, Markus Gaugusch wrote: > > IMHO a packet filter like ipchains can only decide what to do with a > > packet by looking at this very packet. So if you get a packet without > > SYN Flag set from somewhere to , say, port 61500, how can ipchains > > know if it's a response to a masqueraded request or a response to a > > request from al local app using this port ? > > It is not decided by ipchains, but the kernel. The kernel knows the > masqueraded connections, and can differ between local and masqueraded > connections therefore. Yes, but given the following scenario: 1) A client behind a firewall is masqeraded, and it uses a program that connects to a server outside (masqueraded by the firewall). The reply from the server goes to the port which is used by the firewall kernel for masquerading (say 61500). In my input chain on the firewall I have to ACCEPT packets to this port. 2) On the firewall there is a program which tries to connect to the internet, but should not be allowed to (for whatever reason, may be a backdoor or trojan or what or even just for added security). Now, say this program uses the local port 61500 for outbound connection (assuming it is not used by the masquerading this time). If I want to block responses to this program, on the input chain I have to DENY packets to this port. So, in my firewall script I have no possibility to decide if an incoming packet to a port in this range is to be allowed or not. If I have seperate port ranges for local and masqueraded connection, this decision can be based on the port range. OTOH, I don't know if a program cannot be told to use a port outside the local portrange. I suppose it can, in which case this discussion would be somewhat useless. Andreas Baetz ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************