Very Computer

by **William Knechte** » Mon, 02 Apr 2001 03:24:17

Hello!

The topic on my mind currently is unpriviledged ports. What is common to do
when dealing with unpriviledged ports and a firewall? If there are no
services running on them, is there a reason to lock them down? The way I
understand it, (please correct me if I'm wrong) Is a connection request will
come in to a service on a priviledged port, say 80, then the httpd will
spawn a child and reconnect back to the requestor on an unpriviledged
(random) port. I mean, you could force all traffic on unpriviledged ports
into a diferrent port with PAT or something similar, but is it necessary?

I guess I'm looking for clarification here. I'm still a bit of a neophyte
with firewalling, though I've slayed a lot of dragons up to this point in
configuration and tweaking, I just want to understand the nature of the
dragon now. Can someone clarify this for me? Thanks in Advance!

Kindest Regards,
Bill

by **Manfred Bart** » Mon, 02 Apr 2001 04:05:15

> The topic on my mind currently is unpriviledged ports. What is
> common to do when dealing with unpriviledged ports and a firewall?
> If there are no services running on them, is there a reason to lock
> them down?

No, if you can ensure that no service will ever be started on
that port. On my system, all ports above 1023 with no server
on it are open.

Quote:> The way I understand it, (please correct me if I'm wrong) Is a
> connection request will come in to a service on a priviledged port,
> say 80, then the httpd will spawn a child and reconnect back to the
> requestor on an unpriviledged (random) port.

No, the connection is established by the client. The server always
uses its well-known port, 80 in this case. The TCP connection is
uniquely identified by source-addr:port and destination-addr:port.
The server can have many connections to port 80 simultaneously.

Quote:> I mean, you could force all traffic on unpriviledged ports into a
> diferrent port with PAT or something similar, but is it necessary?

Huh? I don't know what you mean here. If you Address Translate to
a different port how do you expect clients to find the server?

--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

by **Jimi Thompso** » Tue, 03 Apr 2001 09:26:45

You should seriously consider purchasing a copy of TCP/IP for Dummies.

Your question should be rephrased as "When I leave the house, I lock the
front door. Is there a reason to lock the back door, too?"

> > The topic on my mind currently is unpriviledged ports. What is
> > common to do when dealing with unpriviledged ports and a firewall?
> > If there are no services running on them, is there a reason to lock
> > them down?

> No, if you can ensure that no service will ever be started on
> that port. On my system, all ports above 1023 with no server
> on it are open.

> > The way I understand it, (please correct me if I'm wrong) Is a
> > connection request will come in to a service on a priviledged port,
> > say 80, then the httpd will spawn a child and reconnect back to the
> > requestor on an unpriviledged (random) port.

> No, the connection is established by the client. The server always
> uses its well-known port, 80 in this case. The TCP connection is
> uniquely identified by source-addr:port and destination-addr:port.
> The server can have many connections to port 80 simultaneously.

> > I mean, you could force all traffic on unpriviledged ports into a
> > diferrent port with PAT or something similar, but is it necessary?

> Huh? I don't know what you mean here. If you Address Translate to
> a different port how do you expect clients to find the server?

> --
> Manfred
> ---------------------------------------------------------------
> ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

by **Manfred Bart** » Tue, 03 Apr 2001 10:09:18

> > > The topic on my mind currently is unpriviledged ports. What is
> > > common to do when dealing with unpriviledged ports and a firewall?
> > > If there are no services running on them, is there a reason to lock
> > > them down?

> > No, if you can ensure that no service will ever be started on
> > that port. On my system, all ports above 1023 with no server
> > on it are open.

> > > The way I understand it, (please correct me if I'm wrong) Is a
> > > connection request will come in to a service on a priviledged port,
> > > say 80, then the httpd will spawn a child and reconnect back to the
> > > requestor on an unpriviledged (random) port.

> > No, the connection is established by the client. The server always
> > uses its well-known port, 80 in this case. The TCP connection is
> > uniquely identified by source-addr:port and destination-addr:port.
> > The server can have many connections to port 80 simultaneously.

> > > I mean, you could force all traffic on unpriviledged ports into a
> > > diferrent port with PAT or something similar, but is it necessary?

> > Huh? I don't know what you mean here. If you Address Translate to
> > a different port how do you expect clients to find the server?
> You should seriously consider purchasing a copy of TCP/IP for Dummies.

You should consider buying ``basic email etiquette for the complete idiot''.

Quote:> Your question should be rephrased as "When I leave the house, I lock the
> front door. Is there a reason to lock the back door, too?"

How about you demonstrate at least a tiny shred of networking
knowledge by replying on topic and with something constructive
and of substance?

--
Manfred Bartz
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

by **Juergen P. Mei** » Tue, 03 Apr 2001 18:38:42

Quote:>Your question should be rephrased as "When I leave the house, I lock the
>front door. Is there a reason to lock the back door, too?"

If there is no back door (i.e. server listening on the port): No.

Firewalls are for people with too many doors, or Windows(tm) ;)

Juergen

--

"This World is about to be Destroyed!"

by **Christer Pal** » Tue, 03 Apr 2001 21:41:29

> The topic on my mind currently is unpriviledged ports. What is common to do
> when dealing with unpriviledged ports and a firewall? If there are no
> services running on them, is there a reason to lock them down?

The common way of configuring a firewall is to lock _everything_ down
that is not explicitly permitted.

Quote:> The way I
> understand it, (please correct me if I'm wrong) Is a connection request will
> come in to a service on a priviledged port, say 80, then the httpd will
> spawn a child and reconnect back to the requestor on an unpriviledged
> (random) port.

That is not correct. httpd will pass the socket to the spawned child.

Quote:> I mean, you could force all traffic on unpriviledged ports
> into a diferrent port with PAT or something similar, but is it necessary?

PAT is something different (used for outgoing traffic only).
Some NAT's allow you to also translate the port number for static
translations. This could be very useful if you want to run a service
under an unprivileged user ID on a system that does not allow
unprivileged ID's to open privileged ports.

Quote:
> I guess I'm looking for clarification here. I'm still a bit of a neophyte
> with firewalling, though I've slayed a lot of dragons up to this point in
> configuration and tweaking, I just want to understand the nature of the
> dragon now. Can someone clarify this for me? Thanks in Advance!

I suggest you read one or more of the many great books available on the
subject.

palm.vcf
< 1K Download

Very Computer

Request for Discussion on Unpriviledged ports

Request for Discussion on Unpriviledged ports

Request for Discussion on Unpriviledged ports

Request for Discussion on Unpriviledged ports

Request for Discussion on Unpriviledged ports

Request for Discussion on Unpriviledged ports

Request for Discussion on Unpriviledged ports