|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
firewalling high-numbered ports (WAS: [PLUG] Problems with Apache and FTP)
|
> Yeah.. with my linux-based firewall (LEAF dachstein-cd), I needed to
> open up the high ports (above 1023) in addition to 21 and 20 for ftp to
> work. be sure you specifically close ports you dont want the outside
> world being able to access, though - 3306 MySQL, 6000 X, 2049 NFS, 7100
> xfs
If you want to have a default deny rule on all ports, you can also open up non-syn packets (tcp/ip SYN packets open the network connections) on high-numbered ports. For each outgoind service, I have an IPChains rule witth the ! -y flag (-y = SYN ; ! -y = NOT SYN). This allows in packets that do not make an initial connection through. e.g. for http: ipchains -A input -p tcp -s 0/0 80 ! -y -j ACCEPT
This lets in all non-SYN packets that originate on port 80 (e.g. return requests when I browse a Web site).
Of course, your firewall rules should be customized to the level of security that you need..
Philip
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|