Source Port

Source Port

[Dharmendra.T]

[-- Attachment #1: Type: text/plain, Size: 763 bytes --]

Hi Everyone,

 I am a regular reader of this list and I have absorbed that most of the
users won't use the source ports in their rules. Say for ex,

#iptables -A INPUT -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j ACCEPT

In these kind of rules they will not specify the source port from 1024
to 65545. I strongly recommend all Linux Users to specify the exact
rules what is allowed and what is not allowed.

Any Comments? This could be a good practise?

-- 
Regards
Dharmendra.T


This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.

[-- Attachment #2: Type: text/html, Size: 1132 bytes --]

Re: Source Port

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 959 bytes --]

Why? In the specific example that you give, what would be the
implications?


On Tue, 2003-04-15 at 13:02, Dharmendra.T wrote:
> Hi Everyone, 
> 
> I am a regular reader of this list and I have absorbed that most of
> the users won't use the source ports in their rules. Say for ex, 
> 
> #iptables -A INPUT -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j
> ACCEPT 
> 
> In these kind of rules they will not specify the source port from 1024
> to 65545. I strongly recommend all Linux Users to specify the exact
> rules what is allowed and what is not allowed. 
> 
> Any Comments? This could be a good practise? 
> -- 
> Regards
> Dharmendra.T
> 
> 
> This message is intended for the addressee only. It may contain privileged or Confidential information. If you have received this message in error,please notify the sender and destroy the message immediately.Unauthorised use or reproduction of this message is strictly prohibited.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Source Port

[Dharmendra.T]

[-- Attachment #1: Type: text/plain, Size: 1534 bytes --]

Yes, That is how the applications work. The server will connect to the
client's arbitrary ports for communication except some cases. 



On Tue, 2003-04-15 at 16:41, Raymond Leach wrote:

    Why? In the specific example that you give, what would be the
    implications?
    
    
    On Tue, 2003-04-15 at 13:02, Dharmendra.T wrote:
    > Hi Everyone, 
    > 
    > I am a regular reader of this list and I have absorbed that most of
    > the users won't use the source ports in their rules. Say for ex, 
    > 
    > #iptables -A INPUT -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j
    > ACCEPT 
    > 
    > In these kind of rules they will not specify the source port from 1024
    > to 65545. I strongly recommend all Linux Users to specify the exact
    > rules what is allowed and what is not allowed. 
    > 
    > Any Comments? This could be a good practise? 
    > -- 
    > Regards
    > Dharmendra.T
    > 
    > 
    > This message is intended for the addressee only. It may contain privileged or Confidential information. If you have received this message in error,please notify the sender and destroy the message immediately.Unauthorised use or reproduction of this message is strictly prohibited.
    
    

-- 
Regards
Dharmendra.T


This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.

[-- Attachment #2: Type: text/html, Size: 3383 bytes --]

RE: Source Port

[Michael K]

[-- Attachment #1: Type: text/plain, Size: 1605 bytes --]

 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Dharmendra.T
Sent: Tuesday, April 15, 2003 1:02 PM
To: netfilter@lists.netfilter.org
Subject: Source Port


Hi Everyone, 

I am a regular reader of this list and I have absorbed that most of the
users won't use the source ports in their rules. Say for ex, 

#iptables -A INPUT -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j ACCEPT 

In these kind of rules they will not specify the source port from 1024
to 65545. I strongly recommend all Linux Users to specify the exact
rules what is allowed and what is not allowed. 

Any Comments? This could be a good practise? 


-- 

Regards

Dharmendra.T





This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.

 
If you have a personal firewall (only INPUT, OUTPUT) and only ONE ip.
It's not nesecary to put --source. However if you have more than ONE ip
you could have use for the --source and --sport.
Myself always add stronger rules to my firewall using --sport --source
--destination --dport --in-interface --out-interface. And ending up with
more rules  :-(. 
I think that adding stronger rules-set make hacking harder. But will add
more administrations to the firewall.
Ex. Adding strong firewall rules to smb is a pain. But thanks to the
--state the numbers of rules will be shortend.
 
/Klintan

[-- Attachment #2: Type: text/html, Size: 3194 bytes --]

Re: Source Port

[Julian Gomez]

On Tue, Apr 15, 2003 at 04:32:13PM +0530, Dharmendra.T spoke thusly:

>#iptables -A INPUT -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j ACCEPT

For this case, it doesn't matter because I doubt your telnet binary
will be using 1-1024 ports for the outgoing telnet session initiation.
It'll need to be setuid to make the bind() call I think (Unix systems).

>Any Comments? This could be a good practise?

For other services, yes it can be tied down further. IKE traffic is
for source (UDP 500) <-> destination (UDP 500). I vaguely remember NTP
also being tied down to port 123, but that might have been specific to
my configuration settings, or even my source package.

I think there was (?) a tunable setting in /proc which can determine
which outgoing port numbers should be used, and it'll recycle the
numbers by itself.

If you are unlucky enough to be using (puke :-) MS Exchange, and your
users require access remotely -- it requires full 1-65535 (or close
enough) filter rules to be left wide open, unless you tweak the registry
settings to limit the port ranges. It makes sense there.
-- 
"any nation that wants to control its borders can do so." 
		- Tommy Franks; Mexicans && Columbia Drug War ?

RE: Source Port

[Michael K]

--snip--
> I think there was (?) a tunable setting in /proc which can 
> determine which outgoing port numbers should be used, and 
> it'll recycle the numbers by itself.

Sure thing. Go to
http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN269
 
--snip---

/Klintan

RE: Source Port

[Dharmendra.T]

[-- Attachment #1: Type: text/plain, Size: 717 bytes --]

On Wed, 2003-04-16 at 15:37, Michael K wrote:

    --snip--
    > I think there was (?) a tunable setting in /proc which can 
    > determine which outgoing port numbers should be used, and 
    > it'll recycle the numbers by itself.
    
    Sure thing. Go to
    http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN269
     
    --snip---
    
    /Klintan
    

Yes, this is nice one. 

    

-- 
Regards
Dharmendra.T


This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.

[-- Attachment #2: Type: text/html, Size: 1862 bytes --]