Is there some way to determine what kinds of additional connections a
web site tries to open when you hit a page so that you can determine
which services you want to let through in a packet filtering firewall?
I've set up an ipchains Linux firewall. Initially I just opened a few
destination ports (filtering with masquerading in chains jumped to from
the forward chain as per the IPCHAINS-HOWTO example); eg:
ipchains -A int-ext -p TCP --dport www -j MASQ
That works fine for standard web sites, but fails with sites that use
SSL (obviously). For example, nothing from the Wall Street Journal
Interactive site comes across at this point. So I add SSL rules:
ipchains -A int-ext -p TCP --dport 443 -j MASQ
ipchains -A int-ext -p UDP --dport 443 -j MASQ
Now part of the WSJI page comes across, but not all. So I add another
rule to let any packet that didn't start out there through:
ipchains -A int-ext -p TCP --dport 1024: ! -y -j MASQ
Now the WSJI works fine. So how do I tell what I've just let in?
Similarly, when I hit the Real Audio site web site
(http://www.real.com), the pages don't load since the firewall isn't
letting something through (even with that last rule). Although I've got
a default -l -j REJECT rule for that chain, nothing shows up in
/var/log/kern.log. How do I tell what port Real Audio is trying to open
when I hit their site that this firewall is catching? {Note, I'm not
talking about letting RealAudio itself through; I found the proper ports
to open and that works fine. I'm talking about the Real Audio corporate
web site.)
TIA for any help. I searched long&hard through this list's archives via
Geocrawler (http://geocrawler.com/lists/3/Security/90/0/ what a
resource!!) without finding an answer.
Stan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
