On Thursday 19 February 2004 6:49 pm, Corey Furman wrote:
> Thanks, Antony. Just because I do a thing, doesn't mean I know why I do
> it :P
>
> I (believe it or not) close those ports because I did not think anything
> would use them, and I sort of approach the firewall as:
> + close everything
> + poke holes where needed
That is a good approach, however I think you need to read about what
"stateful" means for netfilter, because this feature means you can block all
inbound ports, *except the ones needed for replies, on connections which are
current*, with only a singel rule in your INPUT chain.
> This may sound like a stupid question, but why aren't the SMTP and POP
> ports sufficient?
Those are destination ports. Your INPUT rule was blocking the replies back
to the source ports.
In case you're not sure how TCP and UDP connections work, a machine connects
*to* a well-known port number (eg TCP port 25 in the case of SMTP), but it
connects *from* more or less any port it likes (from 1 to 65535), depending
on what it happens to choose at the time the connection gets made (yes,
successive connections will use different source port numbers).
It is important that your ruleset allows in the reply packets, as well as
allowing out the initial connection packet.
In fact, just as a reminder, I will choose the sig on this email
specifically...
Regards,
Antony.
--
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.
Please reply to the list;
please don't CC me.
