[1901] in linux-security and linux-alert archive
[linux-security] Re: Linux and IPFWADM
daemon@ATHENA.MIT.EDU (Avery Pennarun)
Fri Jun 19 02:36:52 1998
Date: Wed, 17 Jun 1998 14:12:21 -0400
From: Avery Pennarun <apenwarr@worldvisions.ca>
To: Glynn Clements <glynn@sensei.co.uk>
Cc: S Hedges <shedges@shaw.wave.ca>, linux-security@redhat.com
In-Reply-To: <13703.52175.103307.339427@cerise.sensei.co.uk>; from Glynn Clements on Wed, Jun 17, 1998 at 02:59:43PM +0100
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Wed, Jun 17, 1998 at 02:59:43PM +0100, Glynn Clements wrote:
> Avery Pennarun wrote:
>
> > # We need to allow TCP UDP back in on all ports that might have been
> > # used to make an outgoing connection. I don't really like doing this,
> > # but...
> > #
> > ipfwadm -Ia accept -P tcp -S 0/0 -D 0/0 1024:65535
>
> You probably want to use the -k flag to only accept packets with the
> ACK bit set (i.e. *not* inbound connections). You'll need to use
> passive mode for outbound FTP though.
Ah, right. Obviously my brain was running a bit low on sugar when I wrote
that comment, because I now remember that non-passive FTP was the main
reason I opened ports 1024-65535.
I know that some (non-Linux) firewalls do so-called "active firewalling"
that opens certain ports only when it is expecting a call (from a particular
IP address) on them. That would be ideal -- can Linux do it? How about in
the 2.1 kernels with ipchains?
Have fun,
Avery
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null