On Saturday 13 April 2002 10:44 pm, Banai Zoltan wrote: > I wish to deny connections to any www/ftp server in my subnet, > (becouse it is not allowed to server files from our subnet). > But the user there put ftp or www server to another ports, > such as telnet or ssh. Since i dont want to deny ssh to the subnet, > i cant deny port 22. And a dont want to deny every port.
You have a challenge :-) This is not easy to solve. > Is there any solution to analyze the content of the package and > decide to deny it if it seems to be an ftp/www session? Not reliably, and certainly not easily with netfilter / iptables - it is not designed for that sort of work. > Now we are using Network Flight Recorder, it analyses every conn. This, or something similar, is your best bet - certainly a better solutions than to try getting netfilter to inspect the contents of packets. You might want to investigate dsniff or snort for monitoring packet contents. > So short the question is if the netfilter can act such as a proxy firewall? No, netfilter is a packet filter, not a proxy fireall, and you are correct, a proxy firewall is what you really need to stop people running server on non-standard ports :-( Since you know which ports you are allowing connections to through your firewall (and there can't be *that* many, are there ?), you could try running something like whisker (Perl program which checks for vulnerabilities in web servers) or nessus (general all-purpose networkvulnerability scanner) inside your network, probing the internal servers tosee if they response in a way they shouldn't.....? Antony.
