Firewall help

Hello,

I have one problem / issue which I can’t figure out.
I have two network cards, one is directly connected to the internet, the other one is connected to my other PC in LAN.
I needed to setup Internet connection sharing and I did that following the guide in this link : ICS - openSUSE
So, I did that and everything is working fine, I can access my other PC in LAN, that other machine can access itnernet.
No problems at all.

So, what I don’t understand is External zone, it should block all incoming connections right ?
To clarify, network interface for direct internet connection is set to the External zone, the other interface used for LAN is set to the Internal zone.

Now, here’s the thing, when I use kTorrent or Transmission , they are working without problems (and they shouldn’t have unless I open a port for it, right ? )
It doesn’t matter what port do I choose to be used in those applications, when I check for the open ports by nmap or grc shieldsup website, they say that port (used in torrent applications) is open.
And even without that it’s obvious that port is open , because I can download for example OpenSuse without problems.

How is this possible and how can I block all incoming traffic unless I allow it ?

On Thu, 27 Oct 2011 18:06:03 +0000, gzenum wrote:

> Now, here’s the thing, when I use kTorrent or Transmission , they are
> working without problems (and they shouldn’t have unless I open a port
> for it, right ? )

Not exactly. Programs that require a reply use a dynamically allocated
port (typically in a high port range) that doesn’t need to be explicitly
opened. The incoming connection is initiated because a program requested
it, so that program needs to be able to respond to it.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

For some reason I thought that every port (0-65535) is blocked, not just the lower ones (service ports).
Would be nice if there would be an option to block them all , perhaps to add “Block” option in Custom rules, right now there’s only “Allow” option there.

On Thu, 27 Oct 2011 21:26:03 +0000, gzenum wrote:

> hendersj;2397981 Wrote:
>> On Thu, 27 Oct 2011 18:06:03 +0000, gzenum wrote: Not exactly.
>> Programs that require a reply use a dynamically allocated
>> port (typically in a high port range) that doesn’t need to be
>> explicitly
>> opened. The incoming connection is initiated because a program
>> requested
>> it, so that program needs to be able to respond to it.
>>
>>
> For some reason I thought that every port (0-65535) is blocked, not just
> the lower ones (service ports).
> Would be nice if there would be an option to block them all , perhaps to
> add “Block” option in Custom rules, right now there’s only “Allow”
> option there.

Thing is, if they were all blocked, then inbound connections required for
applications wouldn’t work at all.

For example, if I use my NNTP reader to connect to port 119 on a server,
the responses come back on a dynamically allocated high port. Blocking
the allocation of that port will break the reader and make it look like
there’s no response from the source (because no reply is received).

Even telnetting to the port would not result in a response because the
response couldn’t get back to the open telnet session.

So by definition, if an application sends a request to a remote server,
the server has to be able to respond and the response has to be allowed
back to the requesting application.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

But in this case (torrent application) , port is not dynamic , you actually choose which port to assign and application then acts as a server, accepting incoming connections.
And I can assure you that the port is open.

On Thu, 27 Oct 2011 23:56:03 +0000, gzenum wrote:

> But in this case (torrent application) , port is not dynamic , you
> actually choose which port to assign and application then acts as a
> server, accepting incoming connections. And I can assure you that the
> port is open.

Yes, but that’s not the only network-based application you run, is it?

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2011-10-28 01:56, gzenum wrote:
>
> But in this case (torrent application) , port is not dynamic , you
> actually choose which port to assign and application then acts as a
> server, accepting incoming connections.
> And I can assure you that the port is open.

But it is a high port, no?

Anyway, you can post your configuration (between code tags) so that we can
check it.

cat /etc/sysconfig/SuSEfirewall2 | egrep -v "^:space:]]*$|^#"

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Sure, but I’m coming from Windows trying to move to the Linux world.
In Windows, even with the default built-in firewall , when you block all Incoming connections they are all blocked and outgoing connections are working normal.
Anything that tries to open some port gets blocked and you receive alert to allow it or not.
Third party firewalls are even better but that’s not the topic.

In the meantime I tried other distros , just to see whether this issue will appear with them and different linux firewalls.
Turns out this has nothing to do with openSuse, same thing is happening in other distros and other firewalls.
I guess that’s how Linux is built though I’m not sure , that’s why I’m asking about it.

@robin_listas , unfortunately I don’t have openSuse installed at the moment, but as soon as I install it I will post the configuration based on your code.
But basically it’s like I described in the first post, didn’t change anything, except configuring ICS (without DHCP server) and clients are configured manually (gateway and DNS servers).

Nope Windows firewall works the same way If You use any bittorrent client on Windows with all the incoming ports blocked it will work just like on openSUSE. That’s the way all firewalls I know of work.

Best regards,
Greg

On Sat, 29 Oct 2011 15:56:02 +0000, gzenum wrote:

> hendersj;2398085 Wrote:
>>
>> Yes, but that’s not the only network-based application you run, is it?
>>
>>
> Sure, but I’m coming from Windows trying to move to the Linux world. In
> Windows, even with the default built-in firewall , when you block all
> Incoming connections they are all blocked and outgoing connections are
> working normal.

The first thing any seasoned Linux user is going to tell you is that
Linux is not Windows. Things don’t work the way they do in Windows, and
you shouldn’t expect things to work the same.

But I would also say that your assertion that incoming connections are
not blocked. If you block all incoming connections and then open IE up
in Windows, you still are able to surf the web. If all inbound
connections were blocked, then the data would never get back to the
application.

> In the meantime I tried other distros , just to see whether this issue
> will appear with them and different linux firewalls. Turns out this has
> nothing to do with openSuse, same thing is happening in other distros
> and other firewalls. I guess that’s how Linux is built though I’m not
> sure , that’s why I’m asking about it.

That’s OK, that’s why we’re explaining to you how it works. It’s not
Windows, so you shouldn’t expect it to behave like Windows.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

That’s because bittorrent clients come with the option to add a rule to the windows firewall which will open the port that is set to be open in the client.
In any case, I can go to the firewall and delete that rule or just block it.
In Linux I can’t do that, that’s the problem.

Let’s say for the sake of the conversation that I want to block all incoming ports even if my outgoing connections wouldn’t work if I do that.
How can I do it ?

I realize it’s not Windows and I don’t expect Linux to behave like Windows, the only gripe I have with Linux is the firewall part.

I also understand that application firewall is very hard to be made in Linux, but I didn’t expect that I wouldn’t be able to block / allow all ports to my liking for all applications / system wide.

On Sat, 29 Oct 2011 22:26:02 +0000, gzenum wrote:

> Let’s say for the sake of the conversation that I want to block all
> incoming ports even if my outgoing connections wouldn’t work if I do
> that. How can I do it ?

ifdown eth0

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Sat, 29 Oct 2011 22:57:18 +0000, Jim Henderson wrote:

> On Sat, 29 Oct 2011 22:26:02 +0000, gzenum wrote:
>
>> Let’s say for the sake of the conversation that I want to block all
>> incoming ports even if my outgoing connections wouldn’t work if I do
>> that. How can I do it ?
>
> ifdown eth0
>
>

Now for a more serious answer.

If you want to block incoming traffic to a system (Linux or any other),
set up a router to your connection to the Internet, configure it for NAT,
and only forward the ports to the machine that you want to receive
traffic from outside your network.

That will accomplish almost exactly what you want (except that, again, if
you initiate an outbound connection, you will be able to get responses -
that’s how network communications work).

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2011-10-29 23:29, Jim Henderson wrote:
> The first thing any seasoned Linux user is going to tell you is that
> Linux is not Windows. Things don’t work the way they do in Windows, and
> you shouldn’t expect things to work the same.
>
> But I would also say that your assertion that incoming connections are
> not blocked. If you block all incoming connections and then open IE up
> in Windows, you still are able to surf the web. If all inbound
> connections were blocked, then the data would never get back to the
> application.

However… high ports are opened only if they are part of the negotiation
in the outgoing packet. A packet goes out requesting response on a given
high port, and that port is opened. The connection is tracked.

That is different from having all high ports opened to connect to any
listening app inside. If you look at the firewall configuration, you may
see this deprecated variable:

# Specify which ports are allowed to access unprivileged ports (>1023)
#
# Format: yes, no or space separated list of ports
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname). Note that this is easy to circumvent! The best choice is to
# keep this option unset or set to 'no'
#
# defaults to "no" if not set (good choice)
#
# Note: Use of this variable is deprecated and it will likely be
# removed in the future. If you think it should be kept please
# report your use case at
# http://forge.novell.com/modules/xfmod/project/?susefirewall2
#
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""

On the other hand, p2p applications are designed to circumvent firewalls.

Windows is different, because listening ports have to be authorized per
application. The “per application” part doesn’t exist in Linux.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On Sat, 29 Oct 2011 23:38:06 +0000, Carlos E. R. wrote:

> However… high ports are opened only if they are part of the
> negotiation in the outgoing packet. A packet goes out requesting
> response on a given high port, and that port is opened. The connection
> is tracked.

Sure. For example, if I use a web browser (regardless of platform), a
port is opened on my machine for the request to be sent from - so a
source port of 32767 might be used with a destination port of 80. The
response that comes back comes back to 32767.

If I block 32767 on my system, then the ‘pipe’ can’t be opened and no
communication takes place.

> That is different from having all high ports opened to connect to any
> listening app inside. If you look at the firewall configuration, you may
> see this deprecated variable:

True.

> On the other hand, p2p applications are designed to circumvent
> firewalls.

Well, not really - they’re designed to allow continuous communication.
That it opens a connection to the outside world isn’t ‘circumvention’,
it’s how it works.

> Windows is different, because listening ports have to be authorized per
> application. The “per application” part doesn’t exist in Linux.

Um, no, I don’t believe that’s correct for Windows. IE doesn’t need to
be “authorized” to access the Internet using the Windows firewall. It
allocates an ephemeral port just as Firefox or Chrome on Linux does, and
then sends a request to the target server, and the response comes back in.

In order to get the behaviour you’re describing, the outbound connection
request has to be blocked - and that’s something that a tool like
ZoneAlarm does. Windows Firewall (to the best of my knowledge) won’t
block outbound connections because it - like iptables - is only concerned
with ingress filtering.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2011-10-30 01:58, Jim Henderson wrote:
> On Sat, 29 Oct 2011 23:38:06 +0000, Carlos E. R. wrote:

>> That is different from having all high ports opened to connect to any
>> listening app inside. If you look at the firewall configuration, you may
>> see this deprecated variable:
>
> True.
>
>> On the other hand, p2p applications are designed to circumvent
>> firewalls.
>
> Well, not really - they’re designed to allow continuous communication.
> That it opens a connection to the outside world isn’t ‘circumvention’,
> it’s how it works.

Years ago, I had to open and forward ports in the router for amule to work.
Noways it is not needed. I don’t know how they do it now. And it is a
random port.

>> Windows is different, because listening ports have to be authorized per
>> application. The “per application” part doesn’t exist in Linux.
>
> Um, no, I don’t believe that’s correct for Windows. IE doesn’t need to
> be “authorized” to access the Internet using the Windows firewall. It
> allocates an ephemeral port just as Firefox or Chrome on Linux does, and
> then sends a request to the target server, and the response comes back in.
>
> In order to get the behaviour you’re describing, the outbound connection
> request has to be blocked - and that’s something that a tool like
> ZoneAlarm does. Windows Firewall (to the best of my knowledge) won’t
> block outbound connections because it - like iptables - is only concerned
> with ingress filtering.

I said “listening” apps. However, I do believe that windows firewalls can
also block outgoing connections (per app).

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On Sun, 30 Oct 2011 00:23:05 +0000, Carlos E. R. wrote:

>> Well, not really - they’re designed to allow continuous communication.
>> That it opens a connection to the outside world isn’t ‘circumvention’,
>> it’s how it works.
>
> Years ago, I had to open and forward ports in the router for amule to
> work. Noways it is not needed. I don’t know how they do it now. And it
> is a random port.

UPnP is typically what’s used these days, though the router has to
support it - and typically it’s not recommended in the configuration for
security reasons (which I’ve never seen explained, honestly).

>> In order to get the behaviour you’re describing, the outbound
>> connection request has to be blocked - and that’s something that a tool
>> like ZoneAlarm does. Windows Firewall (to the best of my knowledge)
>> won’t block outbound connections because it - like iptables - is only
>> concerned with ingress filtering.
>
> I said “listening” apps. However, I do believe that windows firewalls
> can also block outgoing connections (per app).

I can’t find a way in Win7 to block outgoing connections. I do see,
though, that it does have the ability to block incoming connections, and
defaults to allowing connections from the local network but not the
‘public’.

But for applications like IE, Chrome, Firefox - no, Windows Firewall
cannot be used to block connections they create outbound from the box,
nor to block the incoming responses to those requests.

There’s a difference between a listener that assigns a dynamic port and
an application that uses a dynamic port to send and receive data from.
If it initiates the connection, then Windows Firewall can’t block it,
just like iptables can’t.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I said “listening” apps. However, I do believe that windows firewalls can
also block outgoing connections (per app).

I’m not sure about recent Windows versions, but certainly my XP firewall behaves this way, with the corresponding notification for my approval.

I much prefer the behaviour of iptables though.

BTW, I wanted to thank gzenum for starting this thread, and for Jim, Carlos, and glistwan’s input into the subsequent discussion. Very informative, especially to those coming from Windows…

On 2011-10-30 02:43, Jim Henderson wrote:
> On Sun, 30 Oct 2011 00:23:05 +0000, Carlos E. R. wrote:

> UPnP is typically what’s used these days, though the router has to
> support it - and typically it’s not recommended in the configuration for
> security reasons (which I’ve never seen explained, honestly).

Mine doesn’t have it, as far as I know.

> I can’t find a way in Win7 to block outgoing connections. I do see,
> though, that it does have the ability to block incoming connections, and
> defaults to allowing connections from the local network but not the
> ‘public’.

I can’t say, but I saw it done. It depends on the brand of firewall (how
much you pay, I guess). A friend installed some program, this wanted to
open a port, and Windows opened a window to ask if it allowed or not.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)