1 |
On Mon, 2002-06-24 at 03:50, Conny R. Landstedt wrote: |
2 |
> To Kim Nielsen & Gentoo-dev |
3 |
> |
4 |
> In the "Gentoo Linux Security Guide" |
5 |
> >Code listing 64: /etc/init.d/firewall |
6 |
> > #Incoming traffic |
7 |
> > einfo "Creating incoming ssh traffic chain" |
8 |
> > $IPTABLES -N allow-ssh-traffic-in |
9 |
> > $IPTABLES -F allow-ssh-traffic-in |
10 |
> > $IPTABLES -A allow-ssh-traffic-in -p tcp --sport ssh -j ACCEPT |
11 |
> |
12 |
> I'm not absolutely certain, but shouldn't it be "--dport" instead of |
13 |
> "--sport"? |
14 |
> |
15 |
|
16 |
No .. since --sport would be the client port and not the actual port of |
17 |
the service |
18 |
|
19 |
example: |
20 |
|
21 |
You create a http request to gentoo.org and this is what happens |
22 |
|
23 |
1. get ip for gentoo.org (64.57.168.198) |
24 |
2. allocate a client port |
25 |
3. send request from <ip>:<port> (Source) to 64.57.168.198:80 |
26 |
(Destination) |
27 |
|
28 |
The http server on gentoo.org says: |
29 |
1. I got a request on port 80 |
30 |
2. send request back to <ip>:<port> |
31 |
|
32 |
And if the firewall is install it checks the allowed chains if anyone is |
33 |
allowed to send packets to port 80 (The servers port 80, destination |
34 |
port) .. |
35 |
|
36 |
if you where to use sport instead of dport you would only allow the |
37 |
packet if the user sends from client port 80 which is very unlikely |
38 |
since ports below 1024 is privileged ports |
39 |
|
40 |
/Kim |