On Tue, Apr 15, 2003 at 04:32:13PM +0530, Dharmendra.T spoke thusly: >#iptables -A INPUT -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j ACCEPT For this case, it doesn't matter because I doubt your telnet binary will be using 1-1024 ports for the outgoing telnet session initiation. It'll need to be setuid to make the bind() call I think (Unix systems). >Any Comments? This could be a good practise? For other services, yes it can be tied down further. IKE traffic is for source (UDP 500) <-> destination (UDP 500). I vaguely remember NTP also being tied down to port 123, but that might have been specific to my configuration settings, or even my source package. I think there was (?) a tunable setting in /proc which can determine which outgoing port numbers should be used, and it'll recycle the numbers by itself. If you are unlucky enough to be using (puke :-) MS Exchange, and your users require access remotely -- it requires full 1-65535 (or close enough) filter rules to be left wide open, unless you tweak the registry settings to limit the port ranges. It makes sense there. -- "any nation that wants to control its borders can do so." - Tommy Franks; Mexicans && Columbia Drug War ?
