[SATLUG] port triggering

Bob Tracy rct at gherkin.frus.com
Fri Mar 12 09:07:12 CST 2004


Geoff/W5OMR wrote:
>I saw this in another list I read;
>
>=================
>People with Lynksys routers (or any other that is supported) should use port
>triggering.  The ports will only be open when the program requests them.
>When not in use the ports are closed.  This will solve any security
>problems.  It will also allow you to use any computer.
>=================
>
>I immediatly went looking for a way to do this in ipchains 
>(kernel 2.4.21-144-smp4G) but nothing is jumping out at me.
>
>Is 'port triggering' supported by ipchains, or some equivalent?

Not quite sure what *those* folks mean by "port triggering", because
it's kinda like "stateful packet filtering" in one context, "dynamic
ACL modification" in another.  In other words, everything I've just
said is market-speak of one kind or another, and means exactly what
the user wants it to mean.

Stateful packet filtering has been around far longer than most of the
current vendors would like you to know...  Back in the early 90's there
was a router manufacturer called Morningstar that really "got it" in
terms of understanding what was required to do a firewall properly.
(Some of you have at least heard of Morningstar PPP, which is to current
reference PPP implementations what Latin is to romance languages).
Morningstar came up with a product called "Secure Connect", the most
useful portion of which was their filtering language.  As early as 1993
I had a router that could modify the filters associated with its various
interfaces "on the fly" in response to undesired activity (SATAN scans,
etc.).

The classical filtering problem is how to handle FTP without resorting
to either proxies or passive mode, because the response to a directory
listing or file transfer request is delivered on a different set of
ports than the control connection over which the request is made.  A
"stateful packet inspection" filtering mechanism such as Morningstar's
Secure Connect will look at the packets passing over the control
connection, extract the relevant info from the PORT command that follows,
and dynamically open the necessary small hole in your filter screens to
allow the subsequent data transfer to succeed.  Upon completion, the
filter screens are again dynamically modified to close the hole that
was just opened.

It was many years in computer time before other vendors caught the
clue bus, and many of 'em still don't get it right.

Sorry that the above doesn't really answer your question, but it should
at least give you an idea what functionality you're looking for.  I'm
reasonably sure that current Linux filter implementations (iptables) can
do the job.  The phrase "...ports will only be open when the program
requests them..." could be referring to scenarios such as the FTP one I
mentioned above, but if not, it's bogus: unless your firewall is
actively scanning your network looking for services as they come up,
e.g., SMTP, ain't no way it could decide on its own that it's suddenly
going to allow incoming SMTP connections to your computer where it
did not before :-).

-- 
-----------------------------------------------------------------------
Bob Tracy                   WTO + WIPO = DMCA? http://www.anti-dmca.org
rct at frus.com
-----------------------------------------------------------------------


More information about the Satlug mailing list