| 1 |
On Mon, 2002-06-24 at 03:50, Conny R. Landstedt wrote: |
| 2 |
> To Kim Nielsen & Gentoo-dev |
| 3 |
> |
| 4 |
> In the "Gentoo Linux Security Guide" |
| 5 |
> >Code listing 64: /etc/init.d/firewall |
| 6 |
> > #Incoming traffic |
| 7 |
> > einfo "Creating incoming ssh traffic chain" |
| 8 |
> > $IPTABLES -N allow-ssh-traffic-in |
| 9 |
> > $IPTABLES -F allow-ssh-traffic-in |
| 10 |
> > $IPTABLES -A allow-ssh-traffic-in -p tcp --sport ssh -j ACCEPT |
| 11 |
> |
| 12 |
> I'm not absolutely certain, but shouldn't it be "--dport" instead of |
| 13 |
> "--sport"? |
| 14 |
> |
| 15 |
|
| 16 |
No .. since --sport would be the client port and not the actual port of |
| 17 |
the service |
| 18 |
|
| 19 |
example: |
| 20 |
|
| 21 |
You create a http request to gentoo.org and this is what happens |
| 22 |
|
| 23 |
1. get ip for gentoo.org (64.57.168.198) |
| 24 |
2. allocate a client port |
| 25 |
3. send request from <ip>:<port> (Source) to 64.57.168.198:80 |
| 26 |
(Destination) |
| 27 |
|
| 28 |
The http server on gentoo.org says: |
| 29 |
1. I got a request on port 80 |
| 30 |
2. send request back to <ip>:<port> |
| 31 |
|
| 32 |
And if the firewall is install it checks the allowed chains if anyone is |
| 33 |
allowed to send packets to port 80 (The servers port 80, destination |
| 34 |
port) .. |
| 35 |
|
| 36 |
if you where to use sport instead of dport you would only allow the |
| 37 |
packet if the user sends from client port 80 which is very unlikely |
| 38 |
since ports below 1024 is privileged ports |
| 39 |
|
| 40 |
/Kim |
Archives