Hi guys.
I have just fallen over an interesting (I think) issue with firewalls in general that I'm hoping you can give me some ideas about.
I'm trying to access an online tax return service provided by the Australian Tax Office. They're using some sort of SSL protocol for security. They won't tell me what ports it requires open because they say that impacts on their security.
You should think carefully before you trust sensitive information to a site that is run by someone who thinks he can keep secret the ports an active service uses. Put more bluntly, if someone really told you that, he or she is a jackass.
I have found a list of SSL ports required for various protocols (ie ftp ssl, http ssl etc) but I'm not sure which protocols the Tax Office is using and there's no guarantee they've used standard ports anyway.
How are you making the initial connection? If it is from a browser, the browser has to know what destination port to send to. Even sniffing the LAN will get you that much info ... SSL does not encrypt the IP and TCP headers (it cannot, since intermediaries need to read them to route the packets).
Anyone have any ideas how to get a round this? If I booted my Bering as a router only (ie not firewall) would that help? I think I can select that option from the Network configuration file?
It depends. If you currently use NAT for your LAN, then you need to run a firewall, not just a router ... NAT'ing is part of what a firewall does.
About the only ways I can think of to sort this one out without cooperation from the other end are:
1. Bypass the Bering firewall entirely and connect your workstation directly to the Internet. You can assess the risks of this approach.
2. Check the logs on the Bering router to see what ports it is DENYing traffic to or from that involve connections to the Tax Office site (I assume they don't think they can keep their IP address secret too). You may have to increase Bering's logging to accomplish this.
3. Open -AND- port forward to your workstation any likely destination ports.
4. Complain to the Aussie equivalent of your Congressman.
But before you muck with any of this, you might want to get a better understanding of this "some sort of SSL protocol" fuzziness. Opening and forwarding ports accomplishes nothing if your workstation does not have something listening on each of the ports, and people (even WIndows users) typically do not have a haphazard assortment of servers running just in case someone wants to run a bizarre and secretive security protocol.
If that's not an option, I would like to have a play with allowing net to loc on all the ports I can find that look like they might have an SSL association. Do I just add an:
ACCEPT net loc tcp 443 ACCEPT net loc tcp 990 etc
or do I need to DNAT each port to the to the particular loc IP?
Yes. In this context, DNAT is what I refer to above as port forwarding. But note my caveat above as well; I don't think doing all of this will actually help you.
Whatever I do I wouldn't keep it as a permanent thing.
If I were faced with this problem, I'd take #2 of my suggested approaches. I don't think #3 will actually work for you, and #1 requires more trust in government (and the Internet) than I have for *any* government (or system on the far side of my firewall).
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
