l7 stuff) takes a little longer to evaluate, so don't use those when you care about speed. Networking is an 'as fast as possible' sort of resource, so rules are compiled to their simplest-to-evaluate binary form of, usually, little more than a few bitmasks and comparisons.Įven in the text form you write, they will be mostly numeric already, (Speed is also served by using "use only the first rule that applies, nothing else" logic. While PREROUTING and POSTROUTING are there for doing complex things such as packet alteration for fun, profit, routing, NAT, and such Usually, INPUT, OUTPUT, and FORWARD are interesting chains for filtering (.different kinds of traffic) network → PREROUTING → FORWARD → POSTROUTING → network (data passing through).local process → OUTPUT → POSTROUTING → network (data going out, from your apps).network → PREROUTING → INPUT → local process (data coming in for your apps).You usually only care about packets following one of these three paths: Netfilter This article/section is a stub - probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. your unix installation will have a list at /etc/services some programs use this.5222:Jabber client-to-server, 5269:Jabber server-to-server, 5223:Jabber-secure.21:FTPcommand, 20:FTPdata, 873:rsync (unless over ssh),.137/UDP:NETBIOS nameservice, 138/UDP:NETBIOS datagram, 139/UDP:NETBIOS session, 445/TCP:SMB-over-TCP.67 and 68:DHCP/BOOTP server and client, 69:TFTP.691:SMTP/LSA (Only exchange? ( verify)).993:IMAP/SSL (it seems syncing with exchange).8080, 8880, 8888 and such: conventions for HTTP-served containers, small services and such.
53/UDP:DNS (apparently 53/TCP is used to sync DNS servers).5900+n:VNC, where n is the display number and most uses stay under a handful (a hundred down (5800+ etc) is the java client you can mostly ignore).22:SSH (also SCP, SFTP, also rsync over SSH and others).Various services choose ports in any of these ranges. In practice, these ranges are not very strict. see /proc/sys/net/ipv4/ip_local_port_range.since Vista it uses 49152 through 65535.Some very busy servers may wish to expand the range of their ephemeral ports (in part because a port can't be reused for a minute or so due to the TIME_WAIT detail of TCP) Even things like peer-to-peer protocols often don't reach this limit Your basic workstation only really needs them when making making outbound connections, and often at most a few dozen at a time. Incoming connections for services that should not occupy the listening port (notably HTTP) ( verify) the precise range of posts considered ephemeral varies per OS (and sometimes version of it) most OSes make a split between ephemeral and non-ephemeralĮphemeral is regularly some range within 50K-65K (staying above the IANA registerable range), and most OSes allocate at least 4000 ephemeral ports, so there is usually no need to change this. Primarily outgoing connections (allocated by the OS) The concept of ephemeral ports is the range that is used for network calls that don't care what port gets used.IANA considers register able ports to be 1024 through 49151, and above that to be "dynamic and/or private ports".making it a little harder to replace common services). 3.1.3.5 Raw bit/byte testing, and bitwise operationsįor common services, and OSes may deny user programs to listen to these ports, for security reasons (e.g.3.1.3.4 Repetition and omission: lists and short forms.2.2.6 Seeing whether your firewall is on, and which you have in the first place.2.2.4 (fancy stuff you'll probably never use).
0 kommentar(er)
