Firewalling incoming connections

Firewalling incoming connections

Post by Chris J [# » Sat, 09 May 1998 04:00:00



Hiya,

Got a problem setting up ipfwadm (version 2.3.0). System is running kernel
2.0.33.

I am attempting to firewall everything incoming (bar certain ports, including
all < 1023 ports), however I've spotted a slight flaw in this plan. Once I've
set the connection up, outgoing connections cannot be established, as I've
firewalled 1024:65535, hence blocking out the local port end.

What I'm trying to achive is a firewall whereby users cannot put up their own
servers or daemons for external access without asking for the ports to be
unlocked. Internally, they have free reign.

Is there a method wherby incoming connections can be blocked, but outgoing
connections (to any port) can still be established? My current rules look
like (143.58.59.3 is the machine I'm attempting to firewall. The firewall is
also on this machine - the IP has been changed to protect the innocent :)

# Priviliged ports ( < 1024) - always allow
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 0:1023
ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D 143.58.59.3/32 0:1023

# Allow access within university
ipfwadm -I -a accept -P tcp -S 143.58.0.0/16 -D 143.58.59.3/32 0:65535
ipfwadm -I -a accept -P udp -S 143.58.0.0/16 -D 143.58.59.3/32 0:65535

# Services
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 1026
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 2049
ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D 143.58.59.3/32 2049
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 6000
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 2000
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 5678

## This causes the problems with outgoing connections being setup
# Reject all other connections
ipfwadm -I -a reject -y -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535
ipfwadm -I -a reject -y -P udp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535

Alternatively...am I missing summat obvious, and am being blind to miss it?

TIA,

Chris...

--

    / When will we get the chance to |                                   \
   / be ourselves? When will the     |      Eat a pint of fish a day      \
  / labeling in society dissapear?   |                                     \

 
 
 

Firewalling incoming connections

Post by Stephen Meyle » Sat, 09 May 1998 04:00:00



> Hiya,

> Got a problem setting up ipfwadm (version 2.3.0). System is running kernel
> 2.0.33.

[snip]

> ## This causes the problems with outgoing connections being setup
> # Reject all other connections
> ipfwadm -I -a reject -y -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535
> ipfwadm -I -a reject -y -P udp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535

> Alternatively...am I missing summat obvious, and am being blind to miss it?

> TIA,

> Chris...

> --

>     / When will we get the chance to |                                   \
>    / be ourselves? When will the     |      Eat a pint of fish a day      \
>   / labeling in society dissapear?   |                                     \

The problem is that the second part of the TCP handshake has the SYN bit set and
is being rejected because of the -y specification.  I believe the way to achieve
what you want is to allow all packets with the ACK bit set, and disallow all
others (SYN w/o ACK).  Something like this:

ipfwadm -I -a accept -k -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535
ipfwadm -I -a reject -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535

The -y and -k are not applicable to UDP as it is connectionless.

Hope this helps

Steve

 
 
 

1. Firewall Allow incoming connection

Hi
I have a service running on a specific port(say 9000) on an Internal
machine that is sitting behind a Suse linux box running the Firewall
that comes with the 7.0 distribution , Which uses Ipchains .

I would like to allow a specific External machine with a static IP
address to be able to access this port on the internal machine .
In such a way that the firewall knows that all requests received on
9000 be forwarded to port 9000 on the Internal machine .
Is this possible . I am new to Firewall and IPchains and am not sure
how to achieve this . I hope I have made my problem clear !!
Can anybody Help ?

2. installing from PCMCIA CD ROM

3. Finger's Idle time on incoming PPP connections - what's the connection?

4. Variable variable names is csh

5. firewall and incoming mails

6. RedHat 7.2

7. How to allow incoming DNS via 'client' prof in rc.firewall

8. PLEASE HELP!

9. iptables firewall rule for incoming mail

10. Logging incoming, outgoing packet on firewall, good choice or bad choice ?

11. firewall and incoming mails

12. can't get pop3 incoming or smtp outgoing through the firewall

13. I need my firewall to allow incoming ATP data...