[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] SuSEFirewall doesn't work?



> Markus A. Radner wrote:
> > If you
> > take a look at the following entry of my log file you will see that 
> > someone from source port 80 is connecting to (or trying 
> to?) my local 
> > port 1077. So I am curious. Which software is running 
> there, or at any 
> > other (high) port of interest? Is there any way to find out? (OK, I 
> > know that there's a list of ports and protocolls for low ports in 
> > /etc/protocolls; but what about higher
> > ports?)
> > 
> > SuSE-FW-ACCEPT IN=eth0 OUT= 
> > MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00
> > SRC=64.151.x.x DST=192.168.0.2
> >  LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=2083 PROTO=TCP SPT=80 DPT=1077
> > WINDOW=7504 RES=0x00 ACK URGP=0 OPT (0101080A91D5DF560015679A)
> 
> Again, this is the *answer* from the http server at 
> 64.151.x.x, port 80.
> Basically (most times), tcp/udp services accept connections 
> on low ports (<1024), and clients connect to these services 
> using high ports (>1024).
> Return packets use the same connection (ports).

And don't forget that NAT has been done meanwhile. NO ONE CAN ROUTE TO THE
LOCAL 192.168.0.2 Address from outside. Exactly you have to say that NAT
(Network Address Translation) and PAT will be done by the SUSE Firewall.
Both in combination is called MASQUERADING. This manipulates the
answer-packages. 

Otherwise your LAN behind the firewall can't address locations in the
internet. I am sure that you have only one official IP given by your
provider! All clients in your LAN have to share this one IP. And this will
be done by MASQUERADING.

So you can't conclude from the given log-entry to the real allocated port
from outside.

For this you have to do a *tcpdump* on your outside-interface. And then do
another http-request. This will answer many of the confusion.

Tom


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here