Re: dhcp windows client port (nfcan: addressed to exclusive sender for this address)

Re: dhcp windows client port (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2005.11.12 13:45, P theodorou - props666999@hotmail.com wrote:
> Thanks Rob for you detailed reply.
> 
> My intention is to secure this side  of network as much as possible
> I'm not a guru but common sense says that  if i block everything apart from  
> the
> web access then this is   well restricted policy  OR IT IS NOT ?

First, it may be overly restrictive.
For instance, some people find ftp useful,
some people send and receive email,
and some use network time protocol.

Second, some clients you may not approve of
will contact outside servers on port 80
when their preferred ports are blocked.
I believe that skype, for instance, does this.

The firewall rules below work at the level of
internet protocols, such as 'tcp',
and, for tcp, the ports that tcp uses.
These rules do not distinguish what flows
through a tcp connection on port 80;
they do not distinguish 'http' from other traffic.
And even the http protocol can be used as a
wrapper for many other things - it does not
have to originate from a web browser, for instance.
So, you should not feel overly secure just because
of the limits on which ports are allowed.

Jim

> 
> regards
> 
>> From: "Rob Sterenborg" <rob@sterenborg.info>
>> To: <netfilter@lists.netfilter.org>
>> Subject: RE: dhcp windows client port Date: Sat, 12 Nov 2005 18:08:14 +0100
>> 
>> > i wish  the windows machine which receives Internet from the
>> > firewall pc to be restricted fully apart from the port needed to
>> > access the internet
>> >
>> > the windows machine has got fully access when my rc.firewall
>> > contains
>> >
>> > $iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
>> >
>> > which gives to the windows machine access to every port
>> >
>> > i've tried unsuccesully the following command
>> >
>> > $iptables -A FORWARD -p TCP -i $LAN_IFACE -- sport XX -j ACCEPT
>> >
>> > my netstat on the windows machine displays various connections
>> > few questions now
>> >
>> >
>> > 1 which port should be alolwed for the windows machine to see internet
>> > 2 can i restrct it to  something like :
>> > $iptables -A FORWARD  -p TCP -i $LAN_IFACE  -sport XX -dport XX -j
>> > ACCEPT
>> >
>> > in other words, allow  the windows relevant port for accesing on the
>> > internet  to be connected to the specific port of the firewall
>> 
>> You will not connect to any port on the firewall. The firewall will
>> route your packets through to the internet.
>> 
>> To access websites you need DNS (port 53/udp, sometimes tcp) to be able
>> to resolve the hostname of the website. Further, most websites use http
>> and/or https, ports 80/tcp and 443/tcp.
>> So, your ruleset would look like :
>> 
>> $ipt -P FORWARD DROP
>> $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> $ipt -A FORWARD -i $IF_LAN -o $IF_INET -m state --state NEW \
>>   -p udp --dport 53 -j ACCEPT
>> $ipt -A FORWARD -i $IF_LAN -o $IF_INET -m state --state NEW \
>>   -p tcp --dport 53 -j ACCEPT
>> $ipt -A FORWARD -i $IF_LAN -o $IF_INET -m state --state NEW \
>>   -p tcp --dport 80 -j ACCEPT
>> $ipt -A FORWARD -i $IF_LAN -o $IF_INET -m state --state NEW \
>>   -p tcp --dport 443 -j ACCEPT
>> 
>> But, this way you will not be able to browse a website that is not
>> hosted on a standard port (eg 81/tcp).
>> For more information about Netfilter, check out
>> http://iptables-tutorial.frozentux.net/iptables-tutorial.html.
>>

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: dhcp windows client port

[Gabriel]

On Sat, 12 Nov 2005 18:08:23 +0200, P theodorou
<props666999@hotmail.com>  
wrote:

> Hello
>
> i wish  the windows machine which receives Internet from
the firewall pc
> to be restricted fully apart from the port needed to
access the internet
>
> the windows machine has got fully access when my
rc.firewall  contains
>
> $iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
>
> which gives to the windows machine access to every port
>
> i've tried unsuccesully the following command
>
> $iptables -A FORWARD -p TCP -i $LAN_IFACE -- sport XX -j
ACCEPT
>
> my netstat on the windows machine displays various
connections
> few questions now
>
>
> 1 which port should be alolwed for the windows machine to
see internet
> 2 can i restrct it to  something like :
> $iptables -A FORWARD  -p TCP -i $LAN_IFACE  -sport XX  
-dport XX -j  
> ACCEPT
>
> in other words, allow  the windows relevant port for
accesing on the  
> internet  to
> be connected to the specific port of the firewall
>
> regards
>
>
>
>

You could adopt a strategy where you allow all connections
started from  
the inside of your LAN (and, of course, all connections
related to those),  
but none that is started from the internet. So, you could
set the FORWARD  
policy to DROP, allow the IPs from inside the LAN to
connect to the  
internet and then use a rule that allows all ESTABLISHED
and RELATED  
connections.

-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/


		
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com

Re: dhcp windows client port

[P theodorou]

Hello again

Anybody knows where can i find   scripts  with very restricted policies ?

If someone could suggest some  would be very appreciated

google replies mostly basic ones

regards

>From: Gabriel <jarod125@yahoo.com>
>To: netfilter@lists.netfilter.org
>Subject: Re: dhcp windows client port
>Date: Sat, 12 Nov 2005 13:25:09 -0800 (PST)
>
>On Sat, 12 Nov 2005 18:08:23 +0200, P theodorou
><props666999@hotmail.com>
>wrote:
>
> > Hello
> >
> > i wish  the windows machine which receives Internet from
>the firewall pc
> > to be restricted fully apart from the port needed to
>access the internet
> >
> > the windows machine has got fully access when my
>rc.firewall  contains
> >
> > $iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
> >
> > which gives to the windows machine access to every port
> >
> > i've tried unsuccesully the following command
> >
> > $iptables -A FORWARD -p TCP -i $LAN_IFACE -- sport XX -j
>ACCEPT
> >
> > my netstat on the windows machine displays various
>connections
> > few questions now
> >
> >
> > 1 which port should be alolwed for the windows machine to
>see internet
> > 2 can i restrct it to  something like :
> > $iptables -A FORWARD  -p TCP -i $LAN_IFACE  -sport XX
>-dport XX -j
> > ACCEPT
> >
> > in other words, allow  the windows relevant port for
>accesing on the
> > internet  to
> > be connected to the specific port of the firewall
> >
> > regards
> >
> >
> >
> >
>
>You could adopt a strategy where you allow all connections
>started from
>the inside of your LAN (and, of course, all connections
>related to those),
>but none that is started from the internet. So, you could
>set the FORWARD
>policy to DROP, allow the IPs from inside the LAN to
>connect to the
>internet and then use a rule that allows all ESTABLISHED
>and RELATED
>connections.
>
>--
>Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
>
>
>
>__________________________________
>Yahoo! FareChase: Search multiple travel sites in one click.
>http://farechase.yahoo.com
>

Re: dhcp windows client port

[Tom Eastep]

[-- Attachment #1: Type: text/plain, Size: 590 bytes --]

On Saturday 12 November 2005 15:27, P theodorou wrote:
> Hello again
>
> Anybody knows where can i find   scripts  with very restricted policies ?
>
> If someone could suggest some  would be very appreciated
>
> google replies mostly basic ones

Try http://www.shorewall.net -- you can make the Shorewall-generated ruleset 
as restrictive as you wish.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: dhcp windows client port (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2005.11.12 18:27, P theodorou - props666999@hotmail.com wrote:
> Hello again
> 
> Anybody knows where can i find scripts  with very restricted policies ?
> If someone could suggest some  would be very appreciated

You can not have a more restrictive filter rule set
than the one Rob Sterenborg already gave you.

Your original statement:

>> I wish the windows machine which receives Internet
>> from the firewall pc to be restricted fully
>> apart from the port needed to access the internet.

is ambiguous, because "the internet" is *everything*,
but you did use the singular, "the port".

So I am responding to what I think you
might be trying to accomplish.

My guess is you mean something more like "the web".

I think you mean that you want
to restrict the pc to just "web browsing".

If this guess is correct, then
what you need to understand is that this
is not really a job that a firewall can do.

A firewall can restrict the pc to access
just tcp port 80, but that does not really
restrict what kind of traffic can flow.

My guess is that making the pc use
a proxy web server may do what you want.

For Linux, you could look at squid:

http://www.squid-cache.org/

I hope that helps.

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.