Grant wrote:
>> If you are running servers (including SSHD), your rules are not good at
>> all since they categorize traffic only by DEST PORT. Responses from
>> servers need to be categorized by SOURCE PORT.
>
> I've been trying to get my mind around this but I can't seem to.
> Responses from my servers will have a DEST PORT too right? That won't
> work for classification?
It's disheartening to have to explain the very basic principles of
sockets to people but here goes.
For the purposes of this discussion, the world is separated into clients
and servers. Servers provide services to clients.
When a server starts, it creates a socket and *binds* the socket to an
*address*. For AF_INET (IPv4) and AF_INET6 (IPv6) sockets, that address
is an ordered triple consisting of an IPv4 or IPv6 address, a protocol,
and possibly a port number. Port numbers are only used when the protocol
is TCP, UDP, SCTP or SCCP. The protocol and port number used by a server
are typically well-known so that clients will be able to connect to it.
So SSH servers bind to TCP port 22, SMTP servers bind to TCP port 25,
etc. We will call this port the SERVER PORT.
When a client want to use the service provided by a server, it also
creates a socket. Like the server's socket, the client's socket must
also be bound to an address. But in the case of the client, the socket
is usually given an automatic address binding. For AF_INET and AF_INET6
sockets. the IP address is the IP address of the client system (loose
generalization) and the port number is selected from a *local port
range*. On Linux systems, the local port ranges can be seen by 'cat
/proc/sys/net/ipv4/ip_local_port_range'. So it is not possible in
advance to determine what port the client will be using. Whatever it is,
we'll call it the CLIENT PORT.
Now:
Packets send from the client to the server will have:
SOURCE PORT = CLIENT PORT
DEST PORT = SERVER PORT
Packets send from the server to the client will have:
SOURCE PORT = SERVER PORT
DEST PORT = CLIENT PORT
Since the SERVER PORT is generally the only port known ahead of time, we
therefore categorize traffic from the server to the client using the
SOURCE PORT.
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
