hi, i have written my own firewall script to protect my homelan using iptables. i drop all connections from the outside made to ports 0-1023 and accept all connects to port 1024 and above. this protects my system from connects via telnet, ssh, ftp aso., but are there any of the upper ports that i should block as well ? i left them untouched, because data is transfered on the higher ports after connection has been established. -- gruss,jens --------------------------------------------------------------------------- instant networks - netzwerkmanagment & internetfullservices
If I were you, I'd block ALL ports and open only the
ones you want to access (ftp, telnet, etc). There are
many programs out there that could cause you issues,
that live above the 1024 limit.
As far as using the higher ports, these are usually
used when you connect to something (they are randomly
selected). To get around this, you can tell iptables
to allow the packets if they do not include a SYN.
This prevents new connections from being made on those
ports, but allows your PC to use existing connections
(That your previous firewall rules would allow).
# Allow TCP packets that are not SYN
iptables -I INPUT -j ACCEPT -p tcp ! --syn
Hope this helps
Joe
--- Jens Georg
hi,
i have written my own firewall script to protect my homelan using iptables. i drop all connections from the outside made to ports 0-1023 and accept all connects to port 1024 and above. this protects my system from connects via telnet, ssh, ftp aso., but are there any of the upper ports that i should block as well ? i left them untouched, because data is transfered on the higher ports after connection has been established.
-- gruss,jens
---------------------------------------------------------------------------
instant networks - netzwerkmanagment & internetfullservices
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
===== Joseph Hobbs Ionic Productions LLC hobbsj@somecrazyfool.com __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com
On Tue, 19 Feb 2002 01:20:55 +0100
Jens Georg
hi,
i have written my own firewall script to protect my homelan using iptables. i drop all connections from the outside made to ports 0-1023 and accept all connects to port 1024 and above. this protects my system from connects via telnet, ssh, ftp aso., but are there any of the upper ports that i should block as well ? i left them untouched, because data is transfered on the higher ports after connection has been established.
A rule like: iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT would also imho be a good solution. With that rule, all connections which are established or are related to one established connection would go through. regards, Jan -- Jan Räther Universität Hamburg Zentrum für Molekulare Neurobiologie Service-Gruppe EDV Falkenried 94 20251 Hamburg Germany Tel.: 040 - 428 - 03 - 6619 Fax.: 040 - 428 - 03 - 6621 When you try to make an impression, the chances are that is the impression you will make.
hi,
i have written my own firewall script to protect my homelan using iptables. i drop all connections from the outside made to ports 0-1023 and accept all connects to port 1024 and above. this protects my system from connects via telnet, ssh, ftp aso., but are there any of the upper ports that i should block as well ? i left them untouched, because data is transfered on the higher ports after connection has been established.
A rule like:
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
would also imho be a good solution. With that rule, all connections which are established or are related to one established connection would go through.
But only with effect, if the default policy 4 the INPUT chain is set to DROP/DENY So check that. Michael Appeldorn
hi,
i have written my own firewall script to protect my homelan using iptables. i drop all connections from the outside made to ports 0-1023 and accept all connects to port 1024 and above. this protects my system from connects via telnet, ssh, ftp aso., but are there any of the upper ports that i should block as well ? i left them untouched, because data is transfered on the higher ports after connection has been established.
-- gruss,jens --------------------------------------------------------------------------- instant networks - netzwerkmanagment & internetfullservices
If you not exactly know what you do, so try a script-based solution. Get e.g. SuSEfirewall2 here www.suse.com\~marc And - to answer your question. Only services that are started can get compromised. Normally services comes up in sysV init-scripts and especially with the inetd (/etc/rc.config to disable) To check which services are bound to a port type simply netstat -an | grep -i listen Yours Michael
participants (4)
-
Jan R�ther -
Jens Georg -
Joseph Hobbs -
Michael Appeldorn