[plug] Firewall on gateway

Mark O'Shea mark at musicalstoat.co.uk
Fri Mar 19 16:04:13 WST 2004


> On Fri, 2004-03-19 at 14:09, Rennie wrote:
>
> > I'm not 100% but it seems to be outgoing NATed traffic, or related
> > incoming?? I'm talking volumes like 5,152,332 "In", 1,558,253 "Out" on
> > port 2257 ???!?
>
It might be useful to take a look to see if port 2257 is the source or
the destination port, and what the corresponding source or destination is.

For instance:

Outside	your network	Inside your network

>From port 2257		To port 22	-(1)

>From port 110		To port 2257	-(2)


Case (1) is a packet from the internet connecting to port 22 somewhere
inside your network, and we would expect that to mean that someone was
connecting via ssh from outside to you.

Case (2) however is a packet coming again from the internet but this time
from port 110 (usually the pop service) and going to port 2257 on a
machine in your network.  This would probably be a packet sent back from
the server in the internet in response to a request for a connection from
a client in your network (ie, picking up their email), this is not the
same as someone connecting to you from port 110 to port 2257, it's just a
passing packet that is part of a tcp connection.  And the random
portnumber is just what was assigned to the client program when it tried
to make the connection.

I don't know if that was clear or not (there is probably a document
somewhere that puts it more eloquently than I, this is a longer email
than I had anticipated) but if you can get your head around how the
traffic does it's business then it will take three quarters of the
headache  out of constructing your firewall.

-- 
Mark O'Shea
(My time is 8 hours behind because I ssh to an email server in the UK to
read and send my email.  I should probably move it here.)



More information about the plug mailing list