>But I can't understand why we have to enable
>all HIGH ports for reply tcp/udp traffic.
After that original email, I've updated it a little more.
See below:
>So why all policies used are DENY ??
Hmmm.. good question! They should be reject!
The reason why I didn't catch this is because though
the default policy is to DENY traffic, at the bottom
of the INPUT and OUTPUT rules, I REJECT the traffic
there. So, I *AM* rejecting traffic by using a
IPFWADM command vs. setting the default policy to
REJECT.
Good eye!
--David
**********************************************************************
If you are unfamiliar with how TCP/IP packet filters work,
this should give you a good start. Please understand that
you should have a decent understanding of how TCP/IP works
to be able to fully understand the following:
--
Think of a IPFWADM or IPCHAINS ruleset like the following:
- All interfaces (any network cards, the localhost
interface, etc) on a Linux box have INPUT, OUTPUT,
and FORWARD rules.
For example:
- Say you have a TELNET packet (port 23) from the
Internet that wants to reach your Linux box.
1) The TELNET packet is sent from the remote
computer on the Internet
2) The packet is received on PORT 23 to the
INPUT rule on the -External NIC card-
3) If the TELNET packet is matched to allow
the packet through:
FYI: Some ideas of possible packet
firewall rules can include:
- source and destination IP addresses
- TCP or UDP traffic
- specific source and destinatiopn ports (TELNET, etc)
- etc
Then let the packet IN though the packet firewall.
If not matched, the packet is either REJECTED
or DENIED. You can also log the fact that
this packet was killed.
4) If passed, the TELNET packet then goes to the
TELNET daemon on the Linux box to be processed.
Once the reply TELNET traffic is generated, the actual
return traffic will be returned on a HIGH PORT ( port > 1024 )
and NOT on port 23.
If you don't understand this, please
read up on TCP/IP fundamentals since this discussion is out
of the scope of TrinityOS.
For this example, lets say the return TELNET traffic is n
port 32000. Now, this return port 3200 traffic is then
sent to the OUTPUT filter of the EXTERNAL NIC card.
5) If the packet is matched to allow the packet
OUT, then let through. (like #3 above ).
If not matched, its either REJECTED or
DENIED. You can also log the fact that
this packet was killed.
6) If passed, the HIGH POR packet leaves the Linux box
to go over the Internet connection destined to that
remote computer.
FORWARD rules: As you've read above, I've left out the FORWARD
rule. Basically, all that a FORWARD rule does
is if a given packet matches for a FORWARD rule,
the packet is directly FORWARDed to some other
interface. This is is what a "router" does on
a simple level. Once forwarded, the receiving
interface will check this packet against it's
INPUT rule. Etc.. etc.. etc..
+------------------------------+
| Linux TCP/IP stack |
{PORT 23} | |
+--->| Input: Output: |
| +------------------------------+
| |
| |
+----------- + | +------------+ |
| Input | | | Output | |
| Rule | | | Rule | |
{PORT 23} | | | | | |
+-IN--->| P a s s ? |---+ +---| P a s s ? |<---+
| | or | | | or | {PORT 3200}
^ |Deny/Reject?| | |Deny/Reject?|
-------- +------------+ | +------------+
Send | | |
-------- +--> Dump packet | +--> Dump packet
Remote (possibly log it) | (possibly log it)
Internet |
site |
-------- |
Receive <--------------------------+
------- {PORT 3200}
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
