|
>1. If in my system runs only deamons that are above on the list, is
this nessecery to
> block unussed ports? >2. Is it wise to block all ports above REGISTERED PORT NUMBERS ( above > 1000 port ), when in system runs http server that answer to client > from global net on this ports, and proxy server that answer to the > local clients on this ports ??? 1.) For security reasons is better to only allow
incoming (via WAN) on Registered Ports that are needed [ 0-1023
]
so any ports not needed within this
range either Block or Reject .
2.) Allot of services such as FTP Passive Mode
Transfers require that you have Incoming Ports [1024-32768] about
that
anyway Not Open but then not blocked or
filtered either ... Thats were conntrack ESTABLISHED & RELATED rules
come in.
Established is where the conntracker has seen
data already go both ways and if it has will do what you have set in its -j
Target.
Related takes care of the rest of the stuff
that conntracker doesnt know how to handle, e.g, a incoming icmp
packet
is checked to see weather it is 'Related' to
another connection such as a ICMP message for a Host Unreachable or
something like that. It also takes care of other helper such as FTP
Transfer data that was related to a Ftp Connection
same for IRC and DCC Transfers ...
|
