Re: [SLUG] Newbie Sysadmin's Journal - firewall

From: Paul M Foster (paulf@quillandmouse.com)
Date: Fri Jul 13 2007 - 09:34:05 EDT


Levi Bard wrote:
>> # Normal services
>> # FTP
>> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
>
> You probably want to allow port 20 also for passive ftp?
>
>
>> # Unprivileged ports inserted by Virtuozzo. Why?
>> -A INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
>> -A INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT
>
> Active ftp data channel tends to use a random high port. In any case,
> you probably don't have anything exploitable (or anything at all)
> running higher than 1024.
>
> I see that you're filtering your output traffic as well. What's the
> reason for this, concern about someone trojaning (verbing weirds
> language) the machine?
>

This was originally inserted by Virtuozzo. But as I recall, the inbound
connections filter on the destination port, and the outbound filter on
the source port. I think the idea is that, for example, we get an
inbound connection on destination port 25 (SMTP) and the *response* from
the machine goes out with source port 25.

Paul

-- 
Paul M. Foster
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS).  Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:58:56 EDT