Hi all, I realised that I did not ask question on right way in my last mail to this list. I am trying to find out some tool or whatever else to open in input and output chain only ports I need, I mean to control which ports are open. In other words to have evidence which ports are open and why. Maybe this is funny for more experience users, but I asked this question here because I thought that iptables can help / and maybe can, but I do not know that :). Regards to all, Elvir Kuric On 6/5/07, jwlargent <jwlargent@xxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Elvir Kuric wrote: > On 6/4/07, Marc Haber <mh+netfilter@xxxxxxxxxxxx> wrote: >> On Mon, Jun 04, 2007 at 01:37:07PM +0200, Elvir Kuric wrote: >> > I am interested in one thing, is possible using iptables software >> > limit particular application/protocol to use/bind to particular >> ports. >> >> Why do you want to do that? > > :) I want to control which ports are open in output chain. Testing, > exploring. > > I know it is not important which ports are open in output chain, > usually putting output policy to accept. It is important to know what ports are open in the output chain. This is exactly the attitude that helps the spread of Trojans and Viruses. You should only open ports you need, for example a user brings in a Trojan that tries to infect other systems and connects back to a monitor somewhere to let it know about the host it just took over. If you are blocking the ports it uses to infect other systems you limit the damage it does. Now there is nothing that keeps it from using a port you have open, say port 80 http., but at least you have tried to limit your exposure. > >> >> > For example I want to send all reqestes from my machine using >> ports I >> > specify, not random ones, >> >> Why? >> >> > or accept ping echo-replay on specific ports. >> >> Pleas get your facts straight. ICMP does not have ports. > > ICMP was just example, first on my mind in that moment :) > > Regards > > Elvir Kuric >> >> Greetings >> Marc >> >> -- >> ----------------------------------------------------------------------------- >> >> Marc Haber | "I don't trust Computers. They | Mailadresse >> im Header >> Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 >> 72739834 >> Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 >> 2323190 >> >> - -- Jeff Largent System Administrator Visual Lease Services Inc. http://www.vlsmaps.com (405) 379-5280 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGZYidd02kARNrtZkRAnIpAJ9DaulTYHRPSX4SWrwhH6n00LcxUQCg4qug 41YEjFzdoMVSJaBKJyfg15Q= =dTnF -----END PGP SIGNATURE-----
