firestarter blocking use of high ports by firefox and SSH

Jack Jackson jackson.linux at gmail.com
Mon Aug 8 13:55:39 UTC 2005


Colin Watson wrote:
<snip>

>>If I allow any single one of those ports, traffic increments to the next 
>>higher port and is then blocked again. Yet I worry about unblocking all 
>>those ports because eventually (soon) they will be discovered by 
>>unfriendly programs "out there".
>>
>>How can I safely allow my server's IP address to use those high ports 
>>and get traffic through Firestarter? Or outside firestarter?

> I don't know how you do this in firestarter in particular, but the
> kernel's packet filtering infrastructure includes connection tracking,
> which understands when packets are "related" to others. The usual
> practice is to allow outgoing connections on those ports, disallow new
> incoming connections, and allow incoming packets that are associated
> with an established connection in some way.

Interesting.

> 
> If you search for ESTABLISHED in the iptables man page, you should find
> useful information on this.
>

Well, yes and no. I scanned man and info iptables and both have the same 
entries, describing what you have just said, to wit:

"Possible states are INVALID meaning that the packet is associated with 
no known connection, ESTABLISHED meaning that the  packet is associated 
with a connection which has seen packets in both directions . . . "

However this is just not working. When I establish, for example,  ssh 
connections and forward to port 25 and 143, these work UNLESS the 
firewall is on - and then it blocks traceroute and other extraneous 
packets not to the ports to which I am forwarding, but to those high 
ports I mentioned.

Can anyone advise me how to fix this problem?







More information about the ubuntu-users mailing list