RE: Chains question

Wed, 20 Jun 2001 22:18:16 -0700 

This quoting is a mess, but...

Scott, in response to your first post, remember that in all TCP and UDP
communication you've got a socket pair (or some literature calls it a full
socket.. can anyone on the list give authoritative info?), i.e. source *and*
destination addresses *and* ports. What Wil is referring to is the source
port, which you can only place very little faith in having any meaning at
all, less even if the machine in question is outside of your control. Some
protocols (such as FTP or NTP) or implementations of them (BIND for DNS)
have their servers use a well-known port as source port for communication,
but most source ports in the initial packet of a TCP session or in the
individual UDP packets are dynamically assigned more or less at random by
the host OS.

Destination ports (in the TCP session setup and in UDP datagrams) are an
entirely different deal. Clients need to know the port the server is
listening on, so servers very often listen on standard, the so-called
'well-known' ports, such as TCP/80 for HTTP or UDP/53 for DNS. There are
several protocols, however, that utilise secondary connections, such as FTP
for data transfer or RPC. Those secondary channels often use dynamically
allocated server ports and this makes them gruesome to handle with packet
filters.

There is a notion that source ports above 1023 are 'safer' than those up to
there. This is due to the fact that in UNIX only root may use those ports.
However, you have no idea who root is on a remote system, neither does the
UID of someone on a remote system have any implication on the threat they
pose to your system. IOW, use of the source port as qualifier for anything
isn't all too good an idea (except for active FTP, I guess).

Now on to your ipchains question. Actually, '-y' means 'SYN bit set' and '!
-y' means 'SYN bit cleared', but that is wrong, otherwise the TCP three-way
handshake would never complete. Instead, it probably means 'only SYN set' or
perhaps even 'SYN set, FIN and ACK cleared'.

In iptables, BTW, '--syn' is synonymous to '--tcp-flags SYN,RST,ACK SYN' and
means, 'examine SYN, RST and ACK bit and match if only the SYN bit is set'.
How negation works in this case is still beyond me and probably something
for the netfilter list.

UDP is connectionless, so the SYN, ACK, RST and FIN bits are unnecessary and
not used. There is no equivalent to '-y' for UDP.

Your last line is probably wrong. A firewall can attempt to protect you, but
it can only do so if you configure it correctly and even then only to a
certain extent. You are not safe if you've got a firewall. You're safer than
you'd be without one, though. How much depends on its configuration.

Cheers,
Tobias

> -----Original Message-----
> From: Scott H [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, June 21, 2001 2:47 AM
> To:   [EMAIL PROTECTED]
> Subject:      Chains question
> 
> Thanks, that makes sense...  Now how about the ! -y option for TCP?  It
> just makes sure the Ack flag is set on incomming TCP right?  How will
> this affect things?
>  
> What about UDP?  
>  
> The firewall is masquerading my access the net so if some one where to
> run an exploit against the firewall's TCP or UDP ports they would get no
> where right?
>  
>  
> -----Original Message----- 
> From: Wil Cooley [ mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, June 20, 2001 5:10 PM 
> To: Scott H 
> Cc: [EMAIL PROTECTED] 
> Subject: Re: Chains question 
> 
> 
>       Thus spake Scott H: 
>       > In many IPchains scripts I see ports above 1024 set to accept
> in-bound 
>       > traffic on TCP and UDP.  There is usually a comment to the
> effect of 
>       > ports above 1024 are fair game.  Could some one explain why
> this is 
>       > considered to be ok?  In my case I am using a linux firewall 
>       for my home 
>       > network. 
> 
>       You need to allow ports above 1024 to be connected to if you're
> going 
>       to be running any clients on the firewall, like SSH.  What
> happens is 
>       that a client requests a randomly-assigned high port that forms
> the 
>       local end of the connection. 
> 
>       Wil 
>       -- 
>       W. Reilly Cooley                           [EMAIL PROTECTED] 
>       Naked Ape Consulting                        http://nakedape.cc 
>       LNXS: Get 0.2.0-devel at http://sourceforge.net/projects/lnxs/ 
>       irc.openprojects.net                                     #lnxs 
> 
>       "The only way for a reporter to look at a politician is down." 
>       -- H.L. Mencken 
> 
> *ef)+-*?ieX'i??ml?v?+-w?{
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to