Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #347
| From | buck <buck@private.mil> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | Re: Allow new incoming connection? |
| Date | 2013-06-22 06:35 +0000 |
| Organization | Say What? |
| Message-ID | <kq3gjs02jcm@news4.newsguy.com> (permalink) |
| References | <kq261g07eh@news1.newsguy.com> <87wqpnwan1.fsf@araminta.anjou.terraraq.org.uk> |
Richard Kettlewell <rjk@greenend.org.uk> wrote in news:87wqpnwan1.fsf@araminta.anjou.terraraq.org.uk: > buck <buck@private.mil> writes: >> I recently acquired a B&N Nook, which has caused me to raise these >> questions. >> >> First, a definition: Ports greater than 1024 are "unreserved" or >> "high" ports. EDIT: I meant greater than 1023. 1024 is a "high port" >> My firewall is configured to allow ESTABLISHED and RELATED tcp >> connections where both source and destination ports are high, but it >> rejects NEW unless these are specifically allowed. For example, I >> allow incoming VNC on --dport 5900 to one computer and 6502 (for a >> program similar to VNC called NetOp) on another. >> >> The Nook is going nuts because it is being prevented from >> establishing NEW connections from google (74.125.142.0/24) on high >> ports. > > To or from google? I said what I meant. FROM google. NEW, not ESTABLISHED and not RELATED. >> Is my rejection of NEW on high ports wrong? > > It seems like an odd distinction to build into the policy. In what way? I think allowing incoming connections requires justification, >> Should I allow just google? What is best practice (and why?)? > > For inbound connections, the obvious cautious approach is to decide > what you want to allow, permit that, and reject everything else. Which I do. I just don't know if it matters when the incoming connection is on a high port, because there's no daemon\service associated. > For outbound connections, it depends how much you trust the devices > attached to network, N/A -- buck
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
Allow new incoming connection? buck <buck@private.mil> - 2013-06-21 18:29 +0000
Re: Allow new incoming connection? Aragorn <thorongil@telenet.be.invalid> - 2013-06-21 20:36 +0200
Re: Allow new incoming connection? buck <buck@private.mil> - 2013-06-22 06:46 +0000
Re: Allow new incoming connection? Aragorn <thorongil@telenet.be.invalid> - 2013-06-22 08:53 +0200
Re: Allow new incoming connection? Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2013-06-22 14:47 +0200
Re: Allow new incoming connection? Aragorn <thorongil@telenet.be.invalid> - 2013-06-22 15:09 +0200
Re: Allow new incoming connection? Richard Kettlewell <rjk@greenend.org.uk> - 2013-06-22 14:27 +0100
Re: Allow new incoming connection? Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2013-06-22 16:37 +0200
Re: Allow new incoming connection? Richard Kettlewell <rjk@greenend.org.uk> - 2013-06-21 20:01 +0100
Re: Allow new incoming connection? buck <buck@private.mil> - 2013-06-22 06:35 +0000
Re: Allow new incoming connection? Richard Kettlewell <rjk@greenend.org.uk> - 2013-06-22 09:39 +0100
Re: Allow new incoming connection? David Hough <noone$$@llondel.org> - 2013-06-22 12:18 +0100
Re: Allow new incoming connection? "Trevor Hemsley" <Trevor.Hemsley@mytrousers.ntlworld.com> - 2013-06-22 07:37 -0500
Re: Allow new incoming connection? Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2013-06-22 14:56 +0200
Re: Allow new incoming connection? buck <buck@private.mil> - 2013-06-22 17:35 +0000
Re: Allow new incoming connection? buck <buck@private.mil> - 2013-06-22 18:01 +0000
Re: Allow new incoming connection? "Trevor Hemsley" <Trevor.Hemsley@mytrousers.ntlworld.com> - 2013-06-22 14:29 -0500
csiph-web