-----Original Message-----
From: Chris Harvey <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, October 12, 2000 1:44 PM
Subject: Port education required
>Folks,
>I'm trying to close down some of the ports on my machine that are in the
>1024 to 65535 range, and ideally I'd like to close them all down unless
>there is an application that I know is listening on that given port.
>
>What I see happening though is kind of interesting. If I make a DNS call or
>SMTP, or basically anything including HTTP. The initial call goes out of
the
>registered port, 53, 25 and 80 respectively. However the response may come
>back in on a completely different port, usually in the range of 1037 to
>about 28xx. Is this standard TCP/IP behaviour?
>
Yes, thats the norm.
>I'm assuming my machine is making a call into another machine on the
>registered port for the service, but also passing an alternative port
number
>that a response should be sent back on.
>
Yes to the former, no to the latter. I think the first available port above
1024 is used to get the response.. anyone else know the logic here?
>Therefore do I have to leave a range of ports open so that these
>conversations can happen between applications without opening up the whole
>range? Is the range defined anywhere, can I define it? Anyone know of any
>sources I can read up on this?
>
You do not have to leave those open. You can set your box up via ipchains
to use them a bit differently. For example, my box at home is running RH
6.2 and is the connection for my home network to the internet. I have a few
rules in ipchains to manage it. Something like these:
ipchains -P forward DENY -------------------------------------------> This
keeps others from using the forwarding chain
ipchains -A input -i ppp0 -p tcp -y -j DENY------------------------> This
denies all "connection" attempts, important
ipchains -A input -i eth0 -s 10.0.0.0/24 -j MASQ----------------> This
allows my internal net to reach the internet
ipchains -A input -i ppp0 -s 10.0.0.0/24 -j DENY----------------> This keeps
outsiders from pretending to be internal
The one you want in particular is the second one. With that, you can block
attempts to establish a connection to you, while still allowing answers to
your own requests to come through. Ipchains can tell the "difference"
between a reply and a connection packet, sometimes called a syn packet. The
difference is just a flag set in the packet that indicates it is to
establish a connection. This way, you can block every port, and still have
internet connnectivity. Beyond ipchains, its always good to disable all
services on your box that you don't need. As well as configuring the ones
you have to listen and answer only to the internal net. Theres also a thing
called tcp wrappers that is easy to configure and helpful. Check out the
man pages on hosts.allow and hosts.deny. You will find those files in /etc.
You can set up a few handy service specific things in those two files. The
tighter you can make things, the better. Installing all updates to servers
is a good idea too, at least the errata and bug fix updates.
>BTW: I don't have portmapper running on the machine as I heard that was for
>NFS. Is that right?
>
Yep, no portmap, no nfs. You need to have portmap running to get nfsd
running.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
