Is it possible to limit the overall number of outgoing ports used?
I don’t want to block specific outgoing ports, just limited their overall number that are in use at a time. Our university network disconnects entirely machines that attempt to use too many ports at once, and I want to prevent these disconnects.
Alternatively, is it possible to block outgoing ports on a per application basis? In this case I could just block huge outgoing port ranges for the offending applications only (which do not allow these limitations in their settings), without disabling the well-behaved programs on my machine.
The applications in question are allowed. The admins suggest workarounds for Windows and MacOS, but not for Linux, which is why I am here.
The MacOS workaround is to block outgoing ports per application (for the applications known to cause trouble, e.g. Skype)
The reason for the network block is that the port scan detection, to identify infected machines inside the network, is a bit trigger happy. Also, the entire university network is placed behind NAT.
I don’t think this will work. The problem is when I am teleconferencing: I need VNC and the SmartBoard software to run, acting as client or server depending on the setup of my remote colleagues. If I block all outgoing port via sysctl, then those will stop working, won’t they?
On the other hand, I don’t think I can run my “scanner” as another user, since audio never works for programs started with “su -u” nor “kdesu -u”, and Skype without audio is rather pointless.
In general for <most> typical apps, I don’t see your question as very practical.
Ordinarily, after an initial connection by an application, the application typically will make any number of secondary connections in support of the primary connection and those aren’t easily controlled. The consequences of restricting numbers or port range can be unpredictable, you might experience only a slower session as connections are forcibly closed so a resource can be re-used, maybe worse.
The exception to this that immediately comes to mind of course is Peer to Peer File Sharing, but most decent apps will allow configuring connections and some will even close half-open connections for you. There are also other apps that are built with a Peer to Peer architecture but hardly ever try to sustain the massive number of half open connections P-P file sharing does, so they <could> be affected but wouldn’t be expected.
You mention “teleconferencing” using VNC and SmartBoard. I’m familiar with the former but not the latter. Do you really know that these apps will run afoul of your ISP? Unless you’re teleconferencing a number of others at once (eg as a Server to multiple clients or connecting to multiple Servers at once), VNC shouldn’t be an issue.
No, my problem is just with Skype. VNC and the SmartBoard run just fine, but of course we want to discuss alongside our whiteboard scribbling. This works fine in principle, but once the Skype client decides to become a supernode, the port scan protection activates and disconnects the entire machine. And Skype almost always does this after 1-2 minutes after a call has started, since we have high bandwith, lots of Skype users and obviously no supernodes in our network. Our current solution is switching the SmartBoard server to Windows, since the Windows Skype-client can be prevented from supernode mode through registry keys. However, no such switch exists for the outdated Linux Skype client.
I would prefer to run Linux on our conferencing sever (especially since it needs open outside ports for partners to connect), but getting our partners more than 6 foreign universities to switch simultaneously to another VoIP software is hopeless from a practical viewpoint. So unless we can reign in Skype to behave nicely under Linxu, we’re stuck with windows.
> I would prefer to run Linux on our conferencing sever (especially since
> it needs open outside ports for partners to connect), but getting our
> partners more than 6 foreign universities to switch simultaneously to
> another VoIP software is hopeless from a practical viewpoint. So unless
> we can reign in Skype to behave nicely under Linxu, we’re stuck with
> windows.
Skype was forbidden on some universities precisely for that behaviour.
I know there are rules in iptables to block a user (or apps running under
some user or group) from connecting at all to outside, but I don’t know if
there is a similar trick to limit the number of ports. I’m no iptables
expert, so have a good read of the manuals, perhaps there is something.
A solution would be to virtualize a windows guest, and run skype in there.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
The problem is when I am teleconferencing: I need VNC and the SmartBoard software to run, acting as client or server depending on the setup of my remote colleagues. If I block all outgoing port via sysctl, then those will stop working, won’t they?