also sprach Philipp Snizek (on Tue, 26 Dec 2000 10:18:57PM +0100):
it uses port 4000, so yes, i could disable all ports above 1024 It's not just that you could, you have to! But take care to the ftp problem. You have to find a solution for that.
i am working on it. i still don't understand how squid solves this... more later.
, but let me ask you another thing about this ftp thingy... i think i knew the difference between active and passive and that you basically want to stick to passive whenever possible just so that port 20 (which is far more insecure than anything above 1024) can remain closed.
Aehm...why is port 20 as ftp-data port more insecure than ftp-data port on e.g. 40348? Isn't this just security by obscurity?
because ports < 1024 can only be opened by root, so a process attached to port 20 runs as root (the process may later switch to a different user). point of the matter is that root is involved with port 20 and not necessaruly with 40348. and when root's involved, there's danger!
and i really can't see how squid would solve this.
The joke lies in iso/osi model. Squid is a proxy and runs on layer 7 (application layer firewall). What you have is a network level firewall. Squid replaces the forward chain and this is your gain. Take a look at my ipchains script I sent you today. Try to make a drawing of it. Then you will see how I designed it.
i can't open your file, it's somehow windoze whacky encoded... please send it again plain text. i am using linux purely... anyway, so take squid... on the internal side of this software router (i do understand the concept of a proxy), all the ports are open, so there's no problem - other than squid speaking no ftp on the client side (which means we cannot use ftp clients...). on the external side, however, squid is just a regular client so it will tell the server to use its port 12345 or whatever, which needs to be opened in the input chain for the external interface. we could do one of two things: - allow all packets that come from port 21 of a server. - allow all packets that come to our ftp-data port. the first method is suicidal as far as i know since i can then launch my attach from port 21, and the second method is impossible since the ftp-data port is assigned at random... we might be able to bind it to port 20, but then we could never have two ftp transfers at the same time... so i have to open the firewall to packets destined for ports 1024 and above - which is the pool used by the ftp client to allocate the data port.
but anyhow, even for things like ssh, since ipchains is not a context firewall,
I'm sorry, what is a context firewall?
ipchains is a packet firewall, meaning it filters by packet. a context firewall such as firewall-1 or some cisco stuff is one which says that since there is a connection from 10.0.0.24:3452 to 202.143.23.123:21, i'll allow a connection from 202.143.23.123:21 to 10.0.0.24:3452 for a short while. so all ports are closed except for the ones running actual services and the ones that are currently being used. it's quite nice and as soon as i find a nice firewall for linux that's free and context-based, i am off ipchains...
i have to either say allow all connections to ports 1024+, or allow everything from port 22, No, you don't have to. Find out what ports above 1024 are used by your client to access ssh server on your firewall box. See how I did it in my script.
i don't think this is how it works. berkeley sockets provide a way to "get the next free port" with the following call, which is most frequently used in programs that spawn to handle client connects - and which is used by passive ftp to obtain a data port: addr.sin_port = htons(0); this returns the next free port, which could be anything above 1024 and so i don't think there's a certain range of 1024+ ports that you could open just to allow ssh for instance. and even if there was, say 16 ssh data ports, what if i wanted 17 connections???
for int eth and ext eth as well as output rule for int and ext eth.
yes, i do understand this quite well. nevertheless, ports 1024+ are then still needed.
Yes, but only for input and output chain. Not for forward chain. You can completely close it. Traffic for www, ftp and ssl aren't routed anymore. They are handled by the proxy (as already said above: layer 7). My goal is to set up a proxy for all services (also for smtp and pop). Then I could shut down routing. My firewall would be God damn very secure.
well, ipchains only provide routing from the inside to the outside, never from the outside to the inside network - so the only danger that really exists is man-in-the-middle attacks as well as attacks aimed straight at the firewall... only as soon as root on the firewall has been compromised, then access to the network is possible. individual attacks to the workstations is not possible as far as i know - even if i had a zero length root password and telnet on one of the machines...
So why don't you shut down finger if you know that?
i might. as i said, it's not that important to have a highly secure firewall for there's nothing of interest on the machines in here, and it's dialup, so the ip changes every now and then, but i am learning by doing...
irc... Hmm...never tried it. I think it's waste of time.
not true. depends on the channels. it's usually a very quick source of answers for programming and linux stuff...
nice medals? my other certs are nice, the MCSE is a joke! i regret it, it's dirt on my business card!
Being MCSE is being a more qualified end-user supporter in a company. Bah! I hate such work. People are ignorants.
word.
But since I'm paid with CHF 150/h I do it. Sometimes it's easy made money. As already Caligula said: Money doesn't smell, and I need it to finance my studies.
sure sure. so what do you do, and where do you work? 150 Sfr/h is quite nice hey! i wouldn't mind that :) (i am still a student...) martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- if you don't understand or are scared by any of the above ask your parents or an adult to help you.