Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: Jonas Meurer <jonas@freesources.org>, debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Mike Mestnik <cheako911@yahoo.com>
Date: Wed, 15 Sep 2004 19:49:25 -0700 (PDT)
Message-id: <[🔎] 20040916024925.75691.qmail@web11904.mail.yahoo.com>
In-reply-to: <[🔎] 20040915213357.GD5029@resivo.mejo.net>

--- Jonas Meurer <jonas@freesources.org> wrote:

> On 13/09/2004 Mike Mestnik wrote:
> > This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m
> state
> > --state NEW" should work fine.
> 
> quoting you, this is what i need to do for every ftp source port for
> active ftp.
> 
Correct.

> > This will requier you to accept any connection to the
> > ip_local_port_range(/proc/sys/net/ipv4/ip_local_port_range 32768 to
> 61000)
> > with "INPUT -p tcp --dport 32768:61000 -m state --state NEW".  You can
> > write to as well as read this file, if you only wish to open lets say
> > 32768 32800.
> 
> quoting you, this is what i need to do for passive ftp.
> 
Correct.

> what i don't understand is, why do the ports for passive ftp only need
> to be opened for input data, and the active ftp ports only for output
> data? source port is only for sending code, so this one can deny
Where only talking about NEW pkts, this is the TCP SYN pkt. 
Related,established rules still need to be setup to allow the rest of the
connection to happen.

When FTP port cmd is used it tells the remote(server) where to connect
too.  Sine the docs for your server say these connections will come *from*
<L-1> this is used as the source port of an outgoing connection.

Because of linux Kernel rules a local port can only be bound ONCE, ether
for incomming connections or outgoing.  I guess thay all thought that it
would be too much of a pain too setup security on this shared resource.

> incomming
> connections, but isn't that the same for passive ftp ports?
> 
Every pkt crosing the internet has in the IP header <dest host>:<source
host> and in the TCP hdr(protocol == 17) <dst port>:<src port>.  This
allowes for several connections to the same server on the same port(21),
each with a uniqe <src port>.

> also, aren't the ports for passive ftp different with different ftp
> servers? do i have to check proftpd for it's individual passive ftp
I'm guessing, since <L-1> is allready used with outgoing FTP data, for
passive ftp your server will use "0" and the kernel then will assing a
free port.

It's posible that the docs for your server are wrong and that <L-1> is
acctualy setup to receve connections, "netstat --inet -a" will let you
see.

> ports, or are the ones in /proc/sys/net/ipv4/ip_local_port_range always
> common?
> 
Yes, for all programs that leave(set) the LOCAL port to "0".

> bye
>  jonas
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by Date: Re: 3 Connections per host
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread