Mailinglist Archive: opensuse-security (555 mails)

< Previous Next >
Re: [suse-security] Message Log Question
  • From: Andreas Bätz <andreas.baetz@xxxxxxxx>
  • Date: Wed, 9 May 2001 14:16:54 +0200
  • Message-id: <01050914165400.04169@PP1>
On Wednesday 09 May 2001 12:20, Markus Gaugusch wrote:
> > IMHO a packet filter like ipchains can only decide what to do with a
> > packet by looking at this very packet. So if you get a packet without
> > SYN Flag set from somewhere to , say, port 61500, how can ipchains
> > know if it's a response to a masqueraded request or a response to a
> > request from al local app using this port ?
>
> It is not decided by ipchains, but the kernel. The kernel knows the
> masqueraded connections, and can differ between local and masqueraded
> connections therefore.
Yes, but given the following scenario:
1) A client behind a firewall is masqeraded, and it uses a program that
connects to a server outside (masqueraded by the firewall). The reply from the
server goes to the port which is used by the firewall kernel for masquerading
(say 61500). In my input chain on the firewall I have to ACCEPT packets to this port.
2) On the firewall there is a program which tries to connect to the internet, but should
not be allowed to (for whatever reason, may be a backdoor or trojan or what or even
just for added security). Now, say this program uses the local port 61500 for outbound
connection (assuming it is not used by the masquerading this time).
If I want to block responses to this program, on the input chain I have to DENY packets
to this port.
So, in my firewall script I have no possibility to decide if an incoming packet to a port
in this range is to be allowed or not. If I have seperate port ranges for local and
masqueraded connection, this decision can be based on the port range. OTOH, I don't
know if a program cannot be told to use a port outside the local portrange. I suppose
it can, in which case this discussion would be somewhat useless.

Andreas Baetz


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been scanned
for the presence of computer viruses.
**********************************************************************

< Previous Next >
Follow Ups