[clug] Firewall settings on NetGear modem/router?
Paul Wayper
paulway at mabula.net
Sat Jun 27 04:21:46 GMT 2009
On 27/06/09 11:58, Neill Cox wrote:
> Hi Felix,
>
> Unless you are trying to run actual servers on your local network (eg a web
> server for http and https, and a mail server for smtp, pop3 and imap) having
> your firewall allow outgoing traffic should be enough.
>
> If you do need to allow clients on the internet to connect to servers on
> your local machine you are looking for the port forwarding setting on the
> firewall.
It is worth noting here that most firewalls recognise 'established' and
'related' connections, and let them through automatically. Basically, the
firewall keeps a track of what outgoing requests you make - it remembers the
'ID' of the initial packet that your computer sent out (when requesting the
web page, or whatever). Then, when the return packet comes back, it has the
matching ID and the firewall lets it back in. All further packets with the
matching ID are similarly let through; when the connection is terminated by
either end the firewall closes that door again.
'Related' connections happen for a few services, most notably FTP. Your
computer sends an outgoing request to connect to the server on port 21. Your
firewall recognises this and listens into that connection. When your computer
and the server have agreed on what file to send they also agree to send the
data on a separate port. At this point the firewall has listened to the
'control' connection on port 21 and knows which port the server is going to
send data to on your firewall, so that port is opened up for that machine.
Again, when the control connection is complete (both) the openings in the
firewall are closed again.
So you shouldn't have to open up incoming connections on any firewall that's
even vaguely modern in order to do your normal outgoing connections.
If you want to run something like BitTorrent to download the latest Linux
distributions, then you do need to allow certain incoming ports. This is
because these protocols work by everyone that's got parts of the file talking
to eachother - so your computer is talking to others, and others are trying to
connect to yours, to share bits of the file. Likewise, if you're running a
web server then you would need to open port 80 up because other computers will
be trying to do that first 'initiate' connection to you, and the firewall
won't know about them beforehand otherwise.
Hopefully that all makes sense and clarifies the issue.
Have fun,
Paul
More information about the linux
mailing list