Re: firewall problem

B. James Phillippe (bryan@terran.org)
Thu, 24 Oct 1996 03:41:16 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mirko Manea: "Re: firewall problem"
Previous message: Bruce Elliott: "An Operand Constraint Problem in __copy_user?"
In reply to: Jason Haar: "noatime support in kernel?"
Next in thread: Matthias Urlichs: "Re: noatime support in kernel?"

On Thu, 24 Oct 1996, Mirko Manea wrote:

> Hi!

Hi to you, too!

> I have setup a firewall to enable or disable access to the Internet.
> I work only on the output rules, but when I enable reject on some
> ports, nobody can use them from the outside (i.e. if I reject port
> 23 only in output, nobody from the Internet can telnet to my machine).

Okay, that sounds reasonable. You desire to restrict flow OUTBOUND more
than you desire to restrict flow INBOUND, so you operate primarily on the
output rules. This is a good start.

> I am using ipfwadm 2.3.0 with the following rules:
>
> /sbin/ipfwadm -I -f
> /sbin/ipfwadm -O -f
> /sbin/ipfwadm -F -f
> /sbin/ipfwadm -F -p deny

These are all okay.

> /sbin/ipfwadm -O -a reject -W ppp0 -P tcp -S 157.27.10.0/24 \
> -D 0.0.0.0/0 21 23 \
> 70 80 194 1000:65535
> /sbin/ipfwadm -O -a reject -W ppp0 -P tcp -S 157.27.10.0/24 \
> -D 0.0.0.0/0 21 23 \
> 70 80 194 1000:65535

This is your problem ----------------------------------------^^^^^^^^^^
What this does is say that all packets originating on the 157.27.10.0/24
network will be blocked if their source ports are 21, 23, 70, 80, 194 and
1000 through 65535. What happens when someone telnets from the outside to
the inside? Your inside machine hears a telnet request, and when it goes
to reply (to complete the three-way TCP handshake and establish a
dialogue), it's reply packet gets blocked. The packet is blocked because
you've blocked all ports between 1000 and 65535, inclusive. These are the
ports that most of your replies will originate from.

(just out of curiosity, how come you have the rule listed twice?)

The standard IP firewalling in the Linux kernel is not dynamic, which
means that it does not adjust it's filter rules based on things like TCP
handshakes and two-way conversations.

> Is a kernel problem or I am missing something ?

It's both, really. I wouldn't call it a kernel problem because it really
is a very logical process. But you can shoot yourself in the foot
sometimes with this, too.

> Thank you very much for any help,

I hope this helps you out,

Good Day,
-bp

--
# B. James Phillippe # System Administrator [terran.org]
# <bryan.phillippe@terran.org> ~ http://w3.terran.org/~bryan

Next message: Mirko Manea: "Re: firewall problem"
Previous message: Bruce Elliott: "An Operand Constraint Problem in __copy_user?"
In reply to: Jason Haar: "noatime support in kernel?"
Next in thread: Matthias Urlichs: "Re: noatime support in kernel?"