[UFO Chicago] NAT and port filtering

[sjk@dredel.com]

On Tue, 28 Jan 2003, Robert B. Moses wrote:

> This isn't strictly a free OS question ... rather a TCP/IP question (and
> i feel it is a "stupid" one as well..sorry)
>
> I'm having a brain misfire on TCP/IP port filtering (as a poor man's
> firewall. I know that filtering only is not a great substitute for
> Stateful Packet Inspection but it will have to do.)
>
> I need 3 boxes connected to a Netgear router doing NAT and filtering.
> None of these boxes run any servers/services...they are simply client
> machies that want to browse the WWW and POP off their email. Easy.
> so..
> 1/2 my mind says "well since you don't need any inbound connections you
> can drop ALL inbound traffic"
> the other 1/2 says "don't be stupid, you have to allow the client
> initiated requests to come back via whatever port it started at..."

Correct.

>
> I haven't done this in a while but something doesn't seem right with my
> reasoning......any elucidation out there? ;-0
> Would blocking/dropping inbound connections 0-1024 be sufficient?

Theoretically, this should work 99% of the time. For tcp most packet
filtering looks to see if the return packet has the ACK or RST bits set
and if SYN matches. Of course with udp you can't easily do this -- so you
usually let gt 1024 in . . . Letting in all tcp gt 1024 can be a problem
-- a lot of M$ services run on upper ports, and occasionally, some
requests will emminate from a lower port. . .

--sjk