Hi. Please, please, please... Can anyone tell me how to use PAT under SuSEFirewall2? Sorry for using this thread to ask this, but Tom mentioned it and I got nervous because I have been trying it for a while. In the end, used squid for apache, but I found nothing for ssh and cvs, so that I have to check the firewall along with both the ssh , the cvs and snort logs. Regards. El Martes, 11 de Mayo de 2004 17:32, Tom Kramer escribió:
If you take a look at the following entry of my log file you will see that someone from source port 80 is connecting to (or trying to?) my local port 1077. So I am curious. Which software is running
Markus A. Radner wrote: there, or at any
other (high) port of interest? Is there any way to find out? (OK, I know that there's a list of ports and protocolls for low ports in /etc/protocolls; but what about higher ports?)
SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00 SRC=64.151.x.x DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=2083 PROTO=TCP SPT=80 DPT=1077 WINDOW=7504 RES=0x00 ACK URGP=0 OPT (0101080A91D5DF560015679A)
Again, this is the *answer* from the http server at 64.151.x.x, port 80. Basically (most times), tcp/udp services accept connections on low ports (<1024), and clients connect to these services using high ports (>1024). Return packets use the same connection (ports).
And don't forget that NAT has been done meanwhile. NO ONE CAN ROUTE TO THE LOCAL 192.168.0.2 Address from outside. Exactly you have to say that NAT (Network Address Translation) and PAT will be done by the SUSE Firewall. Both in combination is called MASQUERADING. This manipulates the answer-packages.
Otherwise your LAN behind the firewall can't address locations in the internet. I am sure that you have only one official IP given by your provider! All clients in your LAN have to share this one IP. And this will be done by MASQUERADING.
So you can't conclude from the given log-entry to the real allocated port from outside.
For this you have to do a *tcpdump* on your outside-interface. And then do another http-request. This will answer many of the confusion.
Tom
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- --------------------------------------------------------------------------------- Manuel Balderrábano e-mail: garibolo@wanadoo.es ---------------------------------------------------------------------------------