firestarter blocking use of high ports by firefox and SSH
Jack Jackson
jackson.linux at gmail.com
Mon Aug 8 13:55:39 UTC 2005
Colin Watson wrote:
<snip>
>>If I allow any single one of those ports, traffic increments to the next
>>higher port and is then blocked again. Yet I worry about unblocking all
>>those ports because eventually (soon) they will be discovered by
>>unfriendly programs "out there".
>>
>>How can I safely allow my server's IP address to use those high ports
>>and get traffic through Firestarter? Or outside firestarter?
> I don't know how you do this in firestarter in particular, but the
> kernel's packet filtering infrastructure includes connection tracking,
> which understands when packets are "related" to others. The usual
> practice is to allow outgoing connections on those ports, disallow new
> incoming connections, and allow incoming packets that are associated
> with an established connection in some way.
Interesting.
>
> If you search for ESTABLISHED in the iptables man page, you should find
> useful information on this.
>
Well, yes and no. I scanned man and info iptables and both have the same
entries, describing what you have just said, to wit:
"Possible states are INVALID meaning that the packet is associated with
no known connection, ESTABLISHED meaning that the packet is associated
with a connection which has seen packets in both directions . . . "
However this is just not working. When I establish, for example, ssh
connections and forward to port 25 and 143, these work UNLESS the
firewall is on - and then it blocks traceroute and other extraneous
packets not to the ports to which I am forwarding, but to those high
ports I mentioned.
Can anyone advise me how to fix this problem?
More information about the ubuntu-users
mailing list