On Wed, Jun 09, 1999 at 04:42:04PM +0200, Mats Oldin wrote:
> I'm just about to set up a firewall and have some questions
> about ssh.
>
> Our firewall is configured so that all traffic from LAN is
> allowed. The question is what traffic from WAN to LAN I must
> allow in order to allow ssh connections in both directions.
You're already OK for local ssh -> remote sshd if that's true.
> I've seen that the ssh client uses a local port somewhere between
> 1019:1023 to call the remote ssh server on port 22 (all ports tcp).
> Does anyone know if allowing tcp traffic from WAN on these ports is
> enough or if the interval 1019:1023 is even greater?
I just allow all traffic to port 22. It could originate on
any port.
If ssh has any rhost authentication allowed in its configuration
(which it probably does) and it is suid root or otherwise has low
port priviledges then it will bind to a low port for the connection.
*Typically* the code that does this in that kind of program starts
by trying to bind to 1023 and counting down, but a) there's no
reason to assume it will and b) all ports could be used if there
were enough connections between the same two machines.
If ssh has all rhost authentication disabled then it will let
the OS pick a high port. That's obviously OS dependant, so it
could be anything >= 1024.
This was a thorn in my side until I realized it, because all
outgoing traffic from low ports is blocked here. So I just put
PasswordAuthentication yes
RSAAuthentication yes
Host <various-outside-hosts>
RHostsAuthentication no
RHostsRSAAuthentication no
in my .ssh/config and I'm set.
I can't think of a reason why a restriction greater than
`permit tcp any any eq 22' would be of any benefit. (At least
regarding the outside address; if you can allow traffic to only
the hosts actually supposed to run sshd that would be an
improvement.) I'd be interested in hearing any other arguments.
--
Rich Derr, sysadmin Have ssh, Will Telecommute
Web Design Group www.webdesigngroup.com TEL: +1 312 951 6688
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
