[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP Chains question

On Thu, Jan 31, 2002 at 09:08:45AM -0500, Matt Kopishke wrote:
> I have set up a firewall using ipchains and the bridge patch
> (bridgein) under potato (2.2.19).  The one snag I had was although the
> firewall works well only letting the world see certain ports (80 & 443),
> it doesn't let the servers behind the firewall get out.  I set up a rule
> that allows all traffic that originated behind the firewall out, but
> because we only have a couple of ports open, and we have no clue what port
> the reply packets are going to come on, the reply packets get denied.
> 
> I was wondering if there is any way to mark out going packets so we can
> let them through on their way back?
Well, as you're accepting connections from any port to port 80 and
443, the reply packets will be originating from port 80 or 443, so
you can allow those packets.
To be sure that none of the servers actively opens connections out
using these ports as sources you can also filter for the syn-bits.

-- 
Ciao, Arne.
                                                                  -o)
GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <apb@createx.de>   /\\
Fingerprint = 6ED9 9A64 CD8A EB6F D841  0391 2F08 8F86 913C 2F81 _\_V
Reply to: