[Shorewall-newbies] Newbie - How to open range of RTP ports

Tom Eastep teastep at shorewall.net
Sat Jan 10 20:21:03 PST 2004


On Sat, 10 Jan 2004, Richard Atcheson wrote:

> 	I just want to ask a little question or perhaps just get some clarification
> on this port range thing.  I am using the Vonage VOIP which requires the same
> 10k to 20k port range and in my system I DNAT them to 192.168.1.152 which is
> the CISCO ATA 186 adapter.  From what I read in this thread, that is safe
> cause the only place those ports go is to the ATA.  Assuming the ATA will
> only respond to data it is looking for i.e., the phone stuff, any attempt by
> someone to hack into my system would be fruitless???  So I and anyone else
> with a similar setup should not have to worry about intruders.
>
> 	Is that a fair statement?  I suspect a lot of people are a bit paranoic about
> opening ports thinking that an open port is tantamount to letting the wolf
> through the door.  From what you have written it seems like an open port is
> kind of a bit bucket if it is properly monitored by some program/device such
> as the ATA and we only need to worry if that open port is not monitored
> properly.  Is my understanding accurate or am I FOS?
>

As I see it, once you have installed a good firewall, the two biggest
threats to your systems are:

a) Servers that you expose to the internet.
b) Your Microsoft system's email clients.

The latter should be addressed with a good Windows AV program. Your post
deals with the former.

Hacking internet-exposed servers usually involves sending it requests that
result in buffer overflows which then cause the server program to run
another program or command. That is where the "....how well it is
written..." thing. If the server is immune to buffer-overflow exploits,
then you are safe. But Apache, Sendmail, etc. have all been found to have
these sorts of vulnerabilities.

So the best approach is to isolate your internet-exposed servers on their
own LAN segment. That way, if one of them is hacked, you don't compromise
your private systems.

-Tom
--

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net


More information about the Shorewall-newbies mailing list