> Hi,
> I will set a filter for a specific user to only allow accessing http port
> 80 (public port) at a specific host.
>
> Is this filter below enough to work properly :
>
> input filter : permit 0.0.0.0/0 202.152.0.251/32 tcp dst eq 80
> output filter : permit 202.152.0.251/32 0.0.0.0/0 tcp src eq 80
>
> TIA,
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Yohannes Aries Sulistyono email : aries@idola.net.id
No, no, no. The request will go out from a user's machine, from an
unknown host. In other words the initial request will be in the format:
Source IP: user's.host
Source Port: unknown (but > 1023)
Dest IP: known.host
Dest Port: 80
but because the server must keep port 80 open for more requests it
transfers the socket to another port on the machine. All packets after
the original will have an ACK (acknowledge) bit set. This bit can be used
to distinguishe between a request for a connection and the data of the
connection! See my earlier email about firewalls and security (packet
filters) for information on further research as to the connection
algorithm. But anyway, the actual map of hte connection will be as
follows:
Source IP: user's.host
Source Port: unknown (but the same as above)
Dest IP: know.host
Dest Port: unknown (but > 1023)
My suggestion:
Filter In:
allow only established connections.
deny everything else
Filter Out:
deny everything DANGEROUS
allow established connections
allow port 80 to HTTP Server
allow port 53 to Domain Name Server
allow ports > 1023
This allows requests to go out to the port
allocated by the server's computer for the new
HTTP requests.
deny everything else
This is a VERY CRUDE example and you should read
_Firewalls_&_Internet_Security yada yada yada to really understand 'What's
up'. There are actually many books available but you should read one (at
least).
Tres
tres@chaffee.net
--If you think it to be idiot proof,
then you haven't met the "Latest 'n Greatest" idiot!