Re: port filtering - Taylor, Grant

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: port filtering
Date: Thu, 02 Jun 2005 10:18:33 -0500	[thread overview]
Message-ID: <429F2349.5020605@riverviewtech.net> (raw)
In-Reply-To: <1117723215.10257.6.camel@debianbox>

Sadus . wrote:
> Is there a way to do port filtering as in allow only FTP protocol use
> port 21 and no other protocol such as opening apache on port 21 or
> openning SSH on port 443 which should ONLY be used for HTTPS?

To enforce only ftp access on port 21 you will need to run some sort of filter that will enforce only ftp commands or something else that will detect ftp commands or not.  The Layer 7 match extension will do this for you.  There are caveats to using the l7 filter as it tends to be less and less accurate the more complex the protocol is, but ftp does not fall in to this category.  L7 filter will put some additional load on your firewall / router too as it has to inspect the higher layer packet and pass it through a regular expression to match (or not) the packet, hens you don't want all your traffic to pass through a l7 filter, just the traffic that is destined to or from port 21.  I might also suggest that you conn mark the known ftp traffic so you can match against the mark on subsequent packets and not have to pass all the packet to any given connection through the l7 filter, just enou
 gh to identify the traffic.  For more information on the "Application Layer Packet Classif
ier for Linux" (Layer 7) go to http://l7-filter.sourceforge.net/ and take a look.  I have played with the l7 filter a little bit and was fairly impressed, however I do not currently have it on any of my production firewalls.  If you need / want more help with this let me know.

Grant. . . .

next prev parent reply	other threads:[~2005-06-02 15:18 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-06-02 14:40 port filtering Sadus .
2005-06-02 14:59 ` Eduardo Spremolla
2005-06-02 15:30   ` Jörg Harmuth
2005-06-02 15:18 ` Taylor, Grant [this message]
2005-06-02 15:58   ` Sadus .

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=429F2349.5020605@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.