Firewall Question

tom tmarinis99
Mon May 17 11:43:05 PDT 2004 

Greets list, Jim;

Jim Bonnet <jimbo at sysdump.com> wrote:

>Could someone enlighten me on the finer aspects of firewalling.

I'll try.  Although I'm a comparitive newbie, I think I can expand
on your question a little, from what little I know.  I hope not
to make any mistakes, but I'm sure we'll hear about it here :)

> What I 
>have is a new netgear router/firewall at home. It all works very well, 
>but.. In the logs that it generates I see that The IMAPS server I am 
>connecting to wants to make a connection back to me on some high port.

Hmmm... I do not know about a high port request from a mailserver,
but I do know that POP, SMTP servers attempt a identd/AUTH connection
to the client.  Sounds like your firewall rules DENY this port
that the mail server is attempting.  

Typically, the request is on TCP port 113.  When this occurs, the mailer
attempts to identify the client machine, gathering what information
it can on the sender.

This may also mean that you could be waiting up to 60 seconds to
send some mail.  If the mailserver's request was REJECTED, the identd
request would be dropped right away, and then the mail server would
pick up some speed.

If your mailserver uses a specific high port consistantly, then you
could theoretically choose this port for a REJECT on the router
( if you can ).

However, please also remember, you will see a lot of dropped packets
from your firewall because of this ( the router I mean ).


>My question is should I open these high ports to allow this? None of the 
>rules I have created allow this so it goes to the default rule wich is >deny.

Change that single port to reject.  Typically it is TCP 113.  I don't
know why your mailserver would choose a high port, but if you installed
it, you may know more about what is set up and why it would search
in this manner.

Maybe have your mailserver set up to ident or auth the client from
a specific port, and then have this specific port REJECTED on the firewall.

I would ask D. Bandel, Kurt, Net Llama, D.Hunley or anyone else here,
especially those that frequent this list, as to where to look.  I've 
yet to set up a mailer, and I'm afraid to give you bad advice as to
how to proceed from here.


>Further, I have googled and also been reading the oreilly book about 
>building internet firewalls, and it says nothing about IMAP making a 
>connection back to the client on a high port.

Wow. Can I suggest one?  The information on it is accurate, and
was written in 2000, with some links now out of date, but I still 
look at it from time to time for reference purposes.

http://www.robertgraham.com

specifically, you will want to review section 4 from following
web page...

http://www.robertgraham.com/pubs/firewall-seen.html

The explaination I've given you is from what I gleaned from this
page.  There are other items, which also still apply for 
other firewall topics, which may interest you.


>Here is a snip from the log:
>
>2003 Jan 11 10:09:12 (FM114P-2a-5f-a4) 63.206.87.66 TCP packet - 
>Source:63.206.87.67,993,WAN - Destination:63.206.87.66,33815,LAN [Drop] 
>- [Inbound Default rule match]
>
>When this happens I lose the connection to IMAP and I need to relogin, 
>so this must be a discovery packet or something I suppose.
>
>What would the suggestion be?
>
>Thanks-
>Jim
>
>btw: 63.206.87.66 is the router, 63.206.87.67 is my mail server in the 
>DMZ, and I am on a 192.168.x.x machine doing NAT behind this router.


Hope this helps a little.

 
---tm---
Linux Registration Number; 184093, 
http://counter.li.org


__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

More information about the Linux-users mailing list