On Thu, 2003-06-19 at 02:13, rikona wrote: > Hello Technoslick, > > Monday, June 16, 2003, 12:00:42 PM, you wrote: > > T> No, thankfully. It just has to be an executable that shows itself > T> in calling for services through ports that need to be opened. > > Are you certain that it actually knows that the exact app is running > on the original computer? This might be just port triggering in which > ANY app on *THAT* computer will trigger the port to open, with > returned packets routed to that IP. (The router remembers the IP > address, NOT the app running). It might be that the app name is just > there to help the reader remember which app is using which ports that > are being triggered.
'Port Triggering' is the feature present on this particular router/gateway. No other app but the one assigned in the router, and only to the extent that the range is specified there, will open any additional ports. If I specify the exact name of the executable that will be needing specific ports open, it would seem logical that any client on the network that runs this app will dynamically open the specified ports upon request. I have checked this out. Any PC in this house can run ICQ, simultaneously, at that, and those ports do open up to allow for the need. Secondly, running another IM needing a similar set of ports open, same machine or another, is dead in the water. This feature is specific as well as dynamic, and will not allow other traffic through not specified in the router. That's Port triggering...at least the way Linksys does it. :0) > > You could check this by having two apps that use the same port. Place > one app name in the router table, but run the other app on the same > machine, and see if it opens the port anyway. Been there. Done it. Doesn't work. > > BTW, port triggering does not need H.323 to work, and would work with > the linux box, for any app, just as well. That may be. I was speculating since there was not better to do with my limited understanding. ;0) > > Dynamic port triggering is certainly better than static port opening. You got my vote! I like this feature immensely. If I have to open up my firewall, I want to do so transparently and for the least amount of time. > I am comforted by having the fw first check the md5 signature of the > designated app - if it's OK, then open the port for that app only. Your current firewall, you mean? > > T> Exactly. If you have ICQ (continuing the example) run at different > T> times over the network by different clients, you would need to go > T> into DMZ just to keep up with the requests. If you do that, it > T> can't be a firewall anymore. > > T> To provide software firewalls on each client that would do this as > T> needed, you still would have to put the router's firewall into DMZ or > T> nothing gets through the firewall barrier to the Web. > > Not necessarily. A stateful inspection firewall can provide protection > without needing to create a DMZ. I run a SI firewall, with app-aware > fw's on each computer. The SI firewall does not need a DMZ (at least > for this purpose). The app-aware fw's allow ONLY a specified app for > the designated port(s), and will deny the same port(s) to any other > app. I think you missed my point. My position on this discussion has been geared toward the particular situation in which some of us are in: we use a hardware firewall (via router) and wish to open ports for H.323 communications. If the router cannot open ports dynamically, it will require being placed into DMZ mode (for those that didn't know this, DMZ -- De-Militarised Zone -- means all ports open!) Some routers are not able to provide dynamic ports at all. These will have to be placed in DMZ mode, as well. I have a friend who's using an SMC Barricade router/gateway/firewall that is an excellent device, but not capable of Port Triggering or Dynamic Ports. To video conference, that router must be placed into DMZ mode. With Dynamic Port Triggering, the router automatically adjusts port usage for the specified apps that would need it, as needed. Where I think we are running two separate ideals here is that I'm assuming that whether an SI firewall is in use or not, the router's firewall is still functional. In this scenario, it doesn't matter what the SI firewall will, or will not do. If the last firewall to govern inbound/outbound traffic is the router, it ultimately rules. Do you see my point? I think what you are telling me, correctly so, is that *if* I had a stateful inspection firewall running, and tweaked properly, I wouldn't need the hardware firewall. I wouldn't argue the point. I think you are correct, from what I have read about the way they operate. Be that as it may, it doesn't apply because it's about how to protect ourselves with what we have -- hardware firewalls that come with our IP forwarding routers -- and how to open the needed ports without excessive violation of security. To summarize, any SI firewall operating behind one of these routers is at the mercy of that router's capabilities. If the router doesn't have Port Triggering, either specific ports must be manually opened or it must be made to go into DMZ mode. The SI firewall would take care of the incoming/outgoing traffic, as you have said, but only at the expense of the router's ability to be a strong or useful firewall. Getting back to the original topic, I'm hoping to find some way to get my Linksys router to dynamically open ports for H.323 communication in Linux. Specifying the app name doesn't seem to work. It may be a matter of finding the correct app names involved. I find it hard to believe at this time that this is a Windows-only feature. > > T> Gnomemeeting is suppose to be a NetMeeting clone/client. It's got > T> to be as much a security issue in Linux as in the Windows > T> environment. > > If it needs all those ports, then yes, it would be a big risk. If you > need to leave that many ports open, why bother with a firewall? :-) I agree, but again the situation is not a permanent one. I am certainly not going to have a box run NetMeeting or Gnomemeeting 24/7. Anyone that would do so would require a set-up that dynamically handles such a need or there is no point in a firewall. For normal, periodic use, it's different. This whole discussion is really a tweaking issue since all I would ever have to do it put the router into DMZ mode. Then I could communicate in any way necessary. I don't want to do this if I don't have to. Thanks for the interesting discussion on SI firewalls. :0) T
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com