Re: Source Port - Julian Gomez

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Julian Gomez <kluivert@tm.net.my>
To: netfilter@lists.netfilter.org
Subject: Re: Source Port
Date: Wed, 16 Apr 2003 15:26:47 +0800	[thread overview]
Message-ID: <20030416072647.GB3806@floyd> (raw)

On Tue, Apr 15, 2003 at 04:32:13PM +0530, Dharmendra.T spoke thusly:

>#iptables -A INPUT -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j ACCEPT

For this case, it doesn't matter because I doubt your telnet binary
will be using 1-1024 ports for the outgoing telnet session initiation.
It'll need to be setuid to make the bind() call I think (Unix systems).

>Any Comments? This could be a good practise?

For other services, yes it can be tied down further. IKE traffic is
for source (UDP 500) <-> destination (UDP 500). I vaguely remember NTP
also being tied down to port 123, but that might have been specific to
my configuration settings, or even my source package.

I think there was (?) a tunable setting in /proc which can determine
which outgoing port numbers should be used, and it'll recycle the
numbers by itself.

If you are unlucky enough to be using (puke :-) MS Exchange, and your
users require access remotely -- it requires full 1-65535 (or close
enough) filter rules to be left wide open, unless you tweak the registry
settings to limit the port ranges. It makes sense there.
-- 
"any nation that wants to control its borders can do so." 
		- Tommy Franks; Mexicans && Columbia Drug War ?

next             reply	other threads:[~2003-04-16  7:26 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-04-16  7:26 Julian Gomez [this message]
2003-04-16 10:07 ` Source Port Michael K
2003-04-16 11:12   ` Dharmendra.T
  -- strict thread matches above, loose matches on Subject: below --
2003-04-15 11:02 Dharmendra.T
2003-04-15 11:11 ` Raymond Leach
2003-04-15 12:50   ` Dharmendra.T
2003-04-15 15:22 ` Michael K

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030416072647.GB3806@floyd \
    --to=kluivert@tm.net.my \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.