[ previous ] [ next ] [ threads ]
 
 From:  William Arlofski <waa dash m0n0wall at revpol dot com>
 To:  Peter at iwebsl dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Question about rules
 Date:  Mon, 29 Aug 2005 13:59:22 -0400
Peter wrote:
> When setting up the rules for m0n0 I first did a inbound NAT TCP 80 (HTTP) 192.138.10.2 80 (HTTP)
web server and I selected create rule automatically. Now when I look at the rule I see: 
> TCP 	* 	* 	192.138.10.2	80 (HTTP) 	NAT web server. 
> 
> I've been using Smoothwall Exress for the past few years and when creating a rule you start with
protocol then source port etc. and the rule would look like this:
> TCP 	ALL 	80 (HTTP)  192.138.10.2 	80 (HTTP)
> 
> 
> My question is; should the source port not be set to 80 (HTTP) as well and if not doesn't that
rule leave the WAN open to everything?
> 
> Peter

Hi Peter... No, Smoothwall (IMHO) INCORRECTLY refers to the destination
port on the firewall's WAN interface as the SOURCE port in its rules.


In general terms, each end of a connection (TCP) has an IP address and a
port associated with it - These 4 pieces of information make up a socket.

clientIP:sourceport -----> serverIP:destinationport


When a web browser on a client makes connection to a web server on the
web server's destination port 80, the client's SOURCE port should be a
port number in the unprivelged range between 1024 and 65535.


clientIP:23456 -----> webserverIP:80   is a normal, proper-looking
connection - ie:   1023 < sourceIP < 65536

while:

clientIP:120 -----> webserverIP:80
or
clientIP:80  -----> webserverIP:80

signify that the client is doing something non-standard and might
trigger some alarms or firewall rules at some sites.


So, monowall's rules definition and use of the term "SOURCE port" is
correct and less confusing than Smoothwall's.

With m0n0wall you can actually define the real source port range as only
unprivelged ports 1024-65535 (very anal retentive security people often
define their firewall rules like this) because there is no good reason
that a client should be allocating priveleged ports to make outbound
connections. Some may argue :)

With Smoothwall, you can not do this.

In any case, both rules (m0n0 and Smoothy) that you listed above mean
the same thing because you can not specify the REAL source port in a
Smoothwall rule.

I hope this helps to clarify this a bit.

-
Bill Arlofski
Reverse Polarity