Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] YOU & Firewall
  • From: Bastian Friedrich <bastian@xxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 8 Aug 2002 17:21:53 +0200
  • Message-id: <200208081721.57744.bastian@xxxxxxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Am Donnerstag, 8. August 2002 17:08 schrieb Markus Gaugusch:
> On Aug 8, Michael Rauter <rauter@xxxxxxx> wrote:
> > Does anybody know, which ports must be open for successful
> > you-update ? I closed all ports and left only the http/s, ftp, ssh,
> > dns ports open. I analyzed the packet trace of my firewall router
> > and see something about port 113 and 333 when starting you.
>
> Can't imagine that, YOU only uses FTP and for some packages
> (NVidia...) HTTP. FTP is tricky, though - I don't know if it is using
> active or passive ftp, but 113 and 333 should NOT be related to YOU
> in any way.

Port 113 is the ident (or auth) service. Many ftp servers start ident
requests on connect; if this is "DENY"ed in the firewall, the
connection has to time out on the server, which may take a while. YOU
probably will work if you just take your time to drink a coffee in the
meantime.

Thus, you should REJECT --reject-with tcp-reset connections to port 113:
for chain in INPUT OUTPUT FORWARD ; do
iptables -I $chain -p tcp --destination-port 113 -j REJECT \
--reject-with tcp-reset
done

Don't know about port 333, though.

Markus, fou4s will have the same problem in this case.

Regards,
Bastian

PS: A couple of IRC servers will show similar behaviour as ftp servers;
you may want to reject some more ports the way described above if you
regularly connect to the IRC.

- --
Bastian Friedrich bastian@xxxxxxxxxxxxxxxxxxxx
Adress & Fon available on my HP http://www.bastian-friedrich.de/
\~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\
\ The future isn't what it used to be.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9UoyVlbo7EtEt1mYRAiDUAJ41a1nGg11+50IcQ2KgzGz5JpGg4ACghiOS
bq0rJW1wlXAqx5GzmYHKG5Y=
=bR62
-----END PGP SIGNATURE-----


< Previous Next >
References