Security Portal: Linux Firewalling and Port BehaviorNov 01, 2000, 22:16 (0 Talkback[s])
(Other stories by Kurt Seifried)
"I rebuilt my gateway server, and decided to go gung-ho when it came to firewalling - a default deny policy for input, output and forward chains. Needless to say, this breaks a lot of things. Well, it breaks basically everything, until you start putting in rules to allow packets through. Using a default deny policy in Linux is tricky because the firewall in kernel 2.2 is not stateful. (It is stateful in 2.4, but that is still in a test series and several months off from release.) With a stateful firewall you can make simple rules: "If you see an outgoing connection, let the incoming packets associated with it through." If your firewall is not stateful, you will have to create many rules to allow services to work for clients. This can be annoying if you really want to lock your firewall down. Here's what it comes down to: Creating a really tight firewall in Linux is a pain."
"But all is not lost. Several tips and tricks can aid you in creating a tight firewall. The first trick looks at the local port numbers that the system uses for outgoing connections. All TCP connections have a source port and address, and a destination port and address. If you want to control which ports connections are allowed to go out on - and thus the incoming packets you will need to allow in - you must know the port range. Otherwise, to let connections out and the reply data back in, you'll need to allow all the ports in, 65,535 of them."