[1901] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Linux and IPFWADM

daemon@ATHENA.MIT.EDU (Avery Pennarun)
Fri Jun 19 02:36:52 1998

Date: Wed, 17 Jun 1998 14:12:21 -0400
From: Avery Pennarun <apenwarr@worldvisions.ca>
To: Glynn Clements <glynn@sensei.co.uk>
Cc: S Hedges <shedges@shaw.wave.ca>, linux-security@redhat.com
In-Reply-To: <13703.52175.103307.339427@cerise.sensei.co.uk>; from Glynn Clements on Wed, Jun 17, 1998 at 02:59:43PM +0100
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

On Wed, Jun 17, 1998 at 02:59:43PM +0100, Glynn Clements wrote:

> Avery Pennarun wrote:
> 
> > # We need to allow TCP UDP back in on all ports that might have been
> > # used to make an outgoing connection.  I don't really like doing this,
> > # but...
> > #
> > ipfwadm -Ia accept -P tcp -S 0/0 -D 0/0 1024:65535
> 
> You probably want to use the -k flag to only accept packets with the
> ACK bit set (i.e. *not* inbound connections). You'll need to use
> passive mode for outbound FTP though.

Ah, right.  Obviously my brain was running a bit low on sugar when I wrote
that comment, because I now remember that non-passive FTP was the main
reason I opened ports 1024-65535.

I know that some (non-Linux) firewalls do so-called "active firewalling"
that opens certain ports only when it is expecting a call (from a particular
IP address) on them.  That would be ideal -- can Linux do it?  How about in
the 2.1 kernels with ipchains?

Have fun,

Avery

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post