[391] in linux-net channel archive
Re: firewalls
daemon@ATHENA.MIT.EDU (Aidan Dixon)
Tue May 30 07:46:09 1995
Date: Tue, 30 May 1995 10:35:28 +0100 (BST)
From: Aidan Dixon <atd@prismtech.co.uk>
To: John Paul Morrison <jmorriso@ConcordPacific.com>
cc: linux-net@vger.rutgers.edu
In-Reply-To: <199505291924.MAA09545@Master.ConcordPacific.Com>
On Mon, 29 May 1995, John Paul Morrison wrote:
> Date: Mon, 29 May 1995 12:24:16 -0700 (PDT)
> From: John Paul Morrison <jmorriso@ConcordPacific.com>
> To: linux-net@vger.rutgers.edu
> Subject: firewalls
>
> I want to block incoming connections to privileged ports (except for
> a few cases).
>
> However I'd like to enable OUTGOING rlogin connections, and I think I
> can do this with:
>
> this is need because rlogin binds to a privileged port:
> /sbin/ipfwadm -B -a accept -P tcp -S a.b.c.d 1:1024 -D 0.0.0.0/0 513 -b
>
> this is to stop other stuff:
> /sbin/ipfwadm -B -a reject -P tcp -S 0.0.0.0/0 -D a.b.c.d 1:1024 2049
>
> but then someone could bind to 513 on their end and try to connect
> to my machine.
>
> How can the firewall check that the incoming packet is only for
> a connection that my host initiated? (shouldn't this be possible
> at least with TCP?)
>
Hi,
I think you may have a couple of things mixed up here about the socket
connections involved. :->
The rlogin program does not bind (99% sure of this) to port 513 for its
outgoing connections. It normally just uses which ever outgoing port the
TCP implementation gives it. (Normally >1023 for UNIX machines that
recognize "privileged" ports,)
Rlogin does connect to tcp port 513 on the remote machine, which is where
the inetd server listens on behalf of rlogind. At any rate, once inetd is
listening on that port, no other socket can be bound to it - connect yes,
but not bind. (The server end calls bind(2), the client end calls
connect(2))
So, when you're dealing with rlogin connections (or telnet, rsh and finger
etc.) outgoing connections to machines will have port no. > 1022 (the
minimum unpriv'd port is around that number, can't exactly remember which
- I thought 1024, but my Solaris2.4 machine goes as low as 1022 - Somebody
correct me please!)
You should be able to block all incoming connections to privileged ports
without at all affecting outgoing connections and without adding a rule
for outgoing connections. I have achieved exactly the same affect without
any problems on my company's SPAN router which we use to firewall our
Internet connection. This uses firewall rules very similar to the ones
ipfwadm uses. In your case, I think the first ipfwadm statement is
unneeded.
You might want to initiate a few connections on various ports on your
machine and examine what netstat produces.
Regards,
Aidan
-------------------------------------------------------------------------------
Aidan Thomas Dixon Prism Technologies Ltd.
<aidan.dixon@prismtech.co.uk> Kingfisher House
Kingsway
or Team Valley Trading Estate
Gateshead.
<aidan.dixon@vivaldi.demon.co.uk> NE11 0JQ
- home address UNITED KINGDOM
PHONE: (+44) 91 491 3983 FAX: (+44) 191 491 3973
-------------------------------------------------------------------------------
