Mailinglist Archive: opensuse-security (605 mails)
| < Previous | Next > |
limit MASQ port range
- From: "Andreas Achtzehn" <suse-security@xxxxxxxxxxxxxxx>
- Date: Tue, 23 Oct 2001 10:13:42 +0200
- Message-id: <001801c15b9a$a11d7cc0$0100a8c0@paris>
Dear list readers,
out of educational interest and to understand the advanced features of
packet filtering in a better way I am trying to build an ipchains based
firewall on my own. The basic policy of all rules is to deny traffic.
I'd like to build a machine which does masquerading for an internal
network but keeps the users ON the machine from running their own
servers on TCP or UDP highports.
I found no way to differ between a port that is used by the firewall
machine for local usage and a port that is used for masquerading a
connection from the inside network. This is my basic idea of the
firewall.
Basic policy: DENY
1. Do masquerading for internal network.
2. Allow SSH connection from internal network.
3. Deny lowport (1-1024) connections to machine.
4. Do forwarding of masqueraded (highport) connections.
5. Deny highport local services.
Using /proc/sys/net/ipv4/ip_local_port_range it is possible to limit the
range of highports. Is it possible to limit the range of masqueraded
ports to a certain scope? I could replace rules 4 and 5 by
4. Deny port 1024-20000 connections. --> local used ports
5. Accept port 20001-65000 connections. --> masqueraded ports
Do you have any other idea how to differ between incoming packets for
masqueraded connections and incoming packets for local highport
services? The packet headers seem to look the same.
Regards,
Andreas Achtzehn
out of educational interest and to understand the advanced features of
packet filtering in a better way I am trying to build an ipchains based
firewall on my own. The basic policy of all rules is to deny traffic.
I'd like to build a machine which does masquerading for an internal
network but keeps the users ON the machine from running their own
servers on TCP or UDP highports.
I found no way to differ between a port that is used by the firewall
machine for local usage and a port that is used for masquerading a
connection from the inside network. This is my basic idea of the
firewall.
Basic policy: DENY
1. Do masquerading for internal network.
2. Allow SSH connection from internal network.
3. Deny lowport (1-1024) connections to machine.
4. Do forwarding of masqueraded (highport) connections.
5. Deny highport local services.
Using /proc/sys/net/ipv4/ip_local_port_range it is possible to limit the
range of highports. Is it possible to limit the range of masqueraded
ports to a certain scope? I could replace rules 4 and 5 by
4. Deny port 1024-20000 connections. --> local used ports
5. Accept port 20001-65000 connections. --> masqueraded ports
Do you have any other idea how to differ between incoming packets for
masqueraded connections and incoming packets for local highport
services? The packet headers seem to look the same.
Regards,
Andreas Achtzehn
| < Previous | Next > |