firestarter blocking use of high ports by firefox and SSH - SOLVED

[Jack Jackson]

Guy named Rob has made a firewall package specifically for ubuntu. It's 
WICKED cool, simple and locks down everything.

http://rob.pectol.com/content/view/27/1/

http://ubuntuforums.org/showthread.php?t=50014&page=1&pp=10





Jack Jackson wrote:
> Colin Watson wrote:
> <snip>
> 
>>> If I allow any single one of those ports, traffic increments to the 
>>> next higher port and is then blocked again. Yet I worry about 
>>> unblocking all those ports because eventually (soon) they will be 
>>> discovered by unfriendly programs "out there".
>>>
>>> How can I safely allow my server's IP address to use those high ports 
>>> and get traffic through Firestarter? Or outside firestarter?
> 
> 
>> I don't know how you do this in firestarter in particular, but the
>> kernel's packet filtering infrastructure includes connection tracking,
>> which understands when packets are "related" to others. The usual
>> practice is to allow outgoing connections on those ports, disallow new
>> incoming connections, and allow incoming packets that are associated
>> with an established connection in some way.
> 
> 
> Interesting.
> 
>>
>> If you search for ESTABLISHED in the iptables man page, you should find
>> useful information on this.
>>
> 
> Well, yes and no. I scanned man and info iptables and both have the same 
> entries, describing what you have just said, to wit:
> 
> "Possible states are INVALID meaning that the packet is associated with 
> no known connection, ESTABLISHED meaning that the  packet is associated 
> with a connection which has seen packets in both directions . . . "
> 
> However this is just not working. When I establish, for example,  ssh 
> connections and forward to port 25 and 143, these work UNLESS the 
> firewall is on - and then it blocks traceroute and other extraneous 
> packets not to the ports to which I am forwarding, but to those high 
> ports I mentioned.
> 
> Can anyone advise me how to fix this problem?
> 
> 
> 
>