firestarter blocking use of high ports by firefox and SSH

Colin Watson cjwatson at ubuntu.com
Mon Aug 8 13:48:07 UTC 2005


On Mon, Aug 08, 2005 at 09:04:49AM -0400, Jack Jackson wrote:
> I'm having some problems with firestarter blocking use of high ports by 
> firefox and SSH.
> 
> On my machine, /proc/sys/net/ipv4/ip_local_port_range starts at 32768 
> and    61000
[...]
> If I allow any single one of those ports, traffic increments to the next 
> higher port and is then blocked again. Yet I worry about unblocking all 
> those ports because eventually (soon) they will be discovered by 
> unfriendly programs "out there".
> 
> How can I safely allow my server's IP address to use those high ports 
> and get traffic through Firestarter? Or outside firestarter?

I don't know how you do this in firestarter in particular, but the
kernel's packet filtering infrastructure includes connection tracking,
which understands when packets are "related" to others. The usual
practice is to allow outgoing connections on those ports, disallow new
incoming connections, and allow incoming packets that are associated
with an established connection in some way.

If you search for ESTABLISHED in the iptables man page, you should find
useful information on this.

Cheers,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]




More information about the ubuntu-users mailing list