[Courses] [Security] Firewall theory -- general

coldfire rolick571 at duq.edu
Mon Mar 11 21:09:38 EST 2002 

> >Clients that open connections to servers use high
> > numbered ports.  
> 
> The numbers that the clients choose to initiate from - is that a
> predefined port, or do they pick it at random?

i think it's random .. it would depend on the particular program, however.

> > When the server sends its reply packets back to the client, they'll be
> > sent to port 35642.  So if you set up a firewall that blocks all ports
> > except for the services you run, you get this:
> > 
> > Client:     ---------------|----|---------------->  Server
> > 10.1.1.47, port 35642      | fw |                   10.1.1.2, port 22
> >                            |   *|----------------
> 
> Ok, now I'm a bit confused here.... If I only block incoming ports,
> then doesnt that mean that the server can still send stuff out on any
> port??

by default, there are three "tables."  INPUT, FORWARD, and OUTPUT.  each
can have different policies and each has it's own rules.  however, in the
above example, i believe the Client to be "behind" the firewall, and the
server on the internet.

> One thing is maybe decide if should drop or deny?

personally, i'm a deny (reject with kernel 2.4.x) kind of guy.  for those
wondering what the difference is, "drop" will drop the packet on the
floor.  ignore it completely.  deny (reject) is a bit nicer as it will
respond with "i'm not going to accept this packet."  i don't remember if
you can with 2.2 kernels, but with 2.4 kernels you can specify what you
want to reply with.  which is nice .. because it's in this manner that you
can completely hide that a service is offered to particular hosts or
networks.

for example, if i'm offering ftp but i set the default policy to DROP,
when someone tries to connect to port 21, it will do absolutely nothing
whereas if they tried to connect to port 2430 (which hosts nothing) they
would recieve a tcp-reset (detailed TCP stuff).  this would allow a "would
be" hacker to learn that ftp is indeed offered on this host ... he just
can't get it from his particular IP or network.  however, if i set the
default policy to reject with a tcp-reset and he tried to connect to port
21, it would appear as if though he tried to connect to port 2154, 4234,
and so on ... never knowing the service was even offered.


coldie

More information about the Courses mailing list