Very Computer

port   22 filtered

What kind of filering rule could result this? I have setup filters on
my machine and it only says "open", I'm wondering why.

Thanks,

Yang

Alternatively...
iptables -t filter -A INPUT -p tcp --dport 22 -j DENY
Pay attention to the order of the rules though, there is little point in
denying it specifically if you have already allowed it higher up the chain.

Stu

will result denying everything but http connection initiated internally(?).
but will a port scan on port 80 display "filtered" instead of "open" ?

Thanks,

Yang

Quote:>>Stu

> I understand that part, for example
> iptables -t filter -A INPUT -p tcp -m syn -dport 80 -j ALLOW
> iptables -t filter -A INPUT -j DENY

> will result denying everything but http connection initiated internally(?).
> but will a port scan on port 80 display "filtered" instead of "open" ?

> Thanks,

> Yang

B) Normally, the machine will respond with a syn-ack packet (sychronize
acknowledge) if the port is open and there is a service listening, a
tcp-rst (reset) if the port is reachable but no service is listening,
and no response at all if the port is firewalled. I believe the filtered
is caused by the third option. In your example above, it should return
"open".

bryan

--
Earth first...we'll strip-mine the other planets later.

Quote:> A) That first rule will allow the first packet in the TCP connection
> process to port 80. There is nothing there that would indicate that it
> only allows "internally". It should accept packets from all source
> addresses.

If there is such a way, is it possible to change the responce to such
connections from REJECT to DROP.

And if not, is there any way to delay any responce (faking the connection to
the application) long enough to detect if there's any outbound traffic
attempts, then either allow the connection to proceed, or drop it entirely?
I'm guessing some kind of freaky proxy would be needed, or a TCP-wrapper
type deal.  But it still doesn't help with generating a DROP type responce.
If such a thing doesn't exist, but would be possible, any technical details
would be nice.  I may just be interested in trying to write such a beast.

Quote:

> Some (all?) programs that only accept connections from certain sources do an
> accept/close on connections they don't like, don't they?  I'm not aware of
> any way to peek at an incomming connection, and tell the system to toss it
> out without connecting.

Quote:

> If there is such a way, is it possible to change the responce to such
> connections from REJECT to DROP.

Quote:> And if not, is there any way to delay any responce (faking the connection to
> the application) long enough to detect if there's any outbound traffic
> attempts, then either allow the connection to proceed, or drop it entirely?
> I'm guessing some kind of freaky proxy would be needed, or a TCP-wrapper
> type deal.  But it still doesn't help with generating a DROP type responce.
> If such a thing doesn't exist, but would be possible, any technical details
> would be nice.  I may just be interested in trying to write such a beast.

Apologies if I'm completely missing your point, I think I must be.

angel

bryan
--
Earth first...we'll mine the other planets later.

Quote:> > > And if not, is there any way to delay any responce (faking the
> > > connection to the application) long enough to detect if there's any
> > > outbound traffic attempts, then either allow the connection to
> > > proceed, or drop it entirely? I'm guessing some kind of freaky
> > > proxy would be needed, or a TCP-wrapper type deal.
> I don't quite get it. Of course there will be an outbound attempt.
> That's how TCP works. The remote machine sends a packet with the
> SYN flag set, the host computer replies with a packet with the SYN
> and ACK flags set. They then go about their merry way of setting up
> a connection. Either block the traffic coming in if you don't want it, or
> let it through if you do. I don't see any point in delaying.

And so I need to convert a "remote host dropped connection", as is generated
by the TCP wrappers, into a simple DROP.  And the only way I can concieve of
to accomplish that, is to implement a delay to detect an application doing
an accept/close.

Quote:> The point is, that I'm not about to add some 120-odd ACCEPT rules so I can
> safely drop everything else.  I know who'll be connecting, I just don't
want
> to have to add them all to my iptables ruleset.  I also know who I don't
> want to allow to connect, but I don't know where they'll be connecting
from,
> especially when they start using proxy's and the likes.

> And so I need to convert a "remote host dropped connection", as is
generated
> by the TCP wrappers, into a simple DROP.  And the only way I can concieve
of
> to accomplish that, is to implement a delay to detect an application doing
> an accept/close.

~Tim
--

Came the tranquil and the calm,             |http://spodzone.org.uk/
On the ridge of the mighty Atlantic.        |

You piggie...  :)

-m-

~Tim
--
       09:27:10 up 14:15,  2 users,  load average: 0.57, 0.47, 0.30

http://piglet.is.dreaming.org     |Soar above the singing river