On Wed, 9 Jun 1999, Mats Oldin wrote:
> I'm just about to set up a firewall and have some questions
> about ssh.
>
> Our firewall is configured so that all traffic from LAN is
> allowed. The question is what traffic from WAN to LAN I must
> allow in order to allow ssh connections in both directions.
>
> I've seen that the ssh client uses a local port somewhere between
> 1019:1023 to call the remote ssh server on port 22 (all ports tcp).
> Does anyone know if allowing tcp traffic from WAN on these ports is
> enough or if the interval 1019:1023 is even greater?
The ssh client will use either privilidged, or unprivilidged ports
depending on a setting in the configuration file.
ISTR that when using ports < 1024, it searches for a free port
starting at 1023 and working downwards. Hence, you're going to need to
open between 1023 and (1023 - maximum open sessions) worth of ports.
The (better?) way is to tell the client to use a non-privilidged port,
then your general access rules should let it work. Another tip is that
for 2.2.x you can tweak the range of non-privilidged ports provided
so you can use a range you know you won't have any well known services
on. It's a tunable under /proc
Cheers,
Mark
+-------------------------------------------------------------------------+
Mark Cooke The views expressed above are mine and are not
Systems Programmer necessarily representative of university policy
University Of Birmingham URL: http://www.sr.bham.ac.uk/~mpc/
+-------------------------------------------------------------------------+
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
