[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSEFirewall doesn't work?



Hi.

Please, please, please... Can anyone tell me how to use PAT under 
SuSEFirewall2?

Sorry for using this thread to ask this, but Tom mentioned it and I got 
nervous because I have been trying it for a while. In the end, used squid for 
apache, but I found nothing for ssh and cvs, so that I have to check the 
firewall along with both the ssh , the cvs and snort logs.

Regards.

El Martes, 11 de Mayo de 2004 17:32, Tom Kramer escribió:
> > Markus A. Radner wrote:
> > > If you
> > > take a look at the following entry of my log file you will see that 
> > > someone from source port 80 is connecting to (or trying 
> > to?) my local 
> > > port 1077. So I am curious. Which software is running 
> > there, or at any 
> > > other (high) port of interest? Is there any way to find out? (OK, I 
> > > know that there's a list of ports and protocolls for low ports in 
> > > /etc/protocolls; but what about higher
> > > ports?)
> > > 
> > > SuSE-FW-ACCEPT IN=eth0 OUT= 
> > > MAC=00:a0:d1:d5:b4:3c:00:09:5b:a8:3e:c0:08:00
> > > SRC=64.151.x.x DST=192.168.0.2
> > >  LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=2083 PROTO=TCP SPT=80 DPT=1077
> > > WINDOW=7504 RES=0x00 ACK URGP=0 OPT (0101080A91D5DF560015679A)
> > 
> > Again, this is the *answer* from the http server at 
> > 64.151.x.x, port 80.
> > Basically (most times), tcp/udp services accept connections 
> > on low ports (<1024), and clients connect to these services 
> > using high ports (>1024).
> > Return packets use the same connection (ports).
> 
> And don't forget that NAT has been done meanwhile. NO ONE CAN ROUTE TO THE
> LOCAL 192.168.0.2 Address from outside. Exactly you have to say that NAT
> (Network Address Translation) and PAT will be done by the SUSE Firewall.
> Both in combination is called MASQUERADING. This manipulates the
> answer-packages. 
> 
> Otherwise your LAN behind the firewall can't address locations in the
> internet. I am sure that you have only one official IP given by your
> provider! All clients in your LAN have to share this one IP. And this will
> be done by MASQUERADING.
> 
> So you can't conclude from the given log-entry to the real allocated port
> from outside.
> 
> For this you have to do a *tcpdump* on your outside-interface. And then do
> another http-request. This will answer many of the confusion.
> 
> Tom
> 
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 
> 

-- 
---------------------------------------------------------------------------------
Manuel Balderrábano

e-mail: garibolo@xxxxxxxxxx
---------------------------------------------------------------------------------


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here