Just a bit more. The connection is made from a client provided by the Tax Office. However, on their website they say that to use the software you must have a browser capable of 128 bit SSL installed, so its possible they're using the browser protocol (HTTP?) and port.
I don't even know for sure that the thing will work through a NATted firewall at all. Does the lack of any relevant entries in my log (shorewall.log) mean that there is no relevant traffic being blocked? I do have some shorewall.log entries showing rejected connections. Should every rejected attempt to access any port be logged, unless there is a statement that specifically stops the logging? What I need to know is whether the lack of logs means there is no blocking or I'm not logging the right thing. Thanks. David Pitts -----Original Message----- From: Ray Olszewski [mailto:[EMAIL PROTECTED] Sent: Thursday, 17 July 2003 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Interesting Issue? At 10:59 AM 7/17/2003 +0800, David Pitts wrote: >Hi guys. > >I have just fallen over an interesting (I think) issue with firewalls >in general that I'm hoping you can give me some ideas about. > >I'm trying to access an online tax return service provided by the >Australian Tax Office. They're using some sort of SSL protocol for >security. They won't tell me what ports it requires open because they >say that impacts on their security. You should think carefully before you trust sensitive information to a site that is run by someone who thinks he can keep secret the ports an active service uses. Put more bluntly, if someone really told you that, he or she is a jackass. >I have found a list of SSL ports >required for various protocols (ie ftp ssl, http ssl etc) but I'm not >sure which protocols the Tax Office is using and there's no guarantee >they've used standard ports anyway. How are you making the initial connection? If it is from a browser, the browser has to know what destination port to send to. Even sniffing the LAN will get you that much info ... SSL does not encrypt the IP and TCP headers (it cannot, since intermediaries need to read them to route the packets). >Anyone have any ideas how to get a round this? If I booted my Bering >as a router only (ie not firewall) would that help? I think I can >select that option from the Network configuration file? It depends. If you currently use NAT for your LAN, then you need to run a firewall, not just a router ... NAT'ing is part of what a firewall does. About the only ways I can think of to sort this one out without cooperation from the other end are: 1. Bypass the Bering firewall entirely and connect your workstation directly to the Internet. You can assess the risks of this approach. 2. Check the logs on the Bering router to see what ports it is DENYing traffic to or from that involve connections to the Tax Office site (I assume they don't think they can keep their IP address secret too). You may have to increase Bering's logging to accomplish this. 3. Open -AND- port forward to your workstation any likely destination ports. 4. Complain to the Aussie equivalent of your Congressman. But before you muck with any of this, you might want to get a better understanding of this "some sort of SSL protocol" fuzziness. Opening and forwarding ports accomplishes nothing if your workstation does not have something listening on each of the ports, and people (even WIndows users) typically do not have a haphazard assortment of servers running just in case someone wants to run a bizarre and secretive security protocol. >If that's not an option, I would like to have a play with allowing net >to loc on all the ports I can find that look like they might have an >SSL association. Do I just add an: > >ACCEPT net loc tcp 443 >ACCEPT net loc tcp 990 etc > >or do I need to DNAT each port to the to the particular loc IP? Yes. In this context, DNAT is what I refer to above as port forwarding. But note my caveat above as well; I don't think doing all of this will actually help you. >Whatever I do I wouldn't keep it as a permanent thing. If I were faced with this problem, I'd take #2 of my suggested approaches. I don't think #3 will actually work for you, and #1 requires more trust in government (and the Internet) than I have for *any* government (or system on the far side of my firewall). ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html