Re: Re: LWP and LocalIP/LocalPort

The Short Answer:
The reason I want to set the local port as well is so the outgoing connection is predictable and filterable.

The Long Answer:
I've got a web server with MovableType running on it. One of the functions that MT performs is to send XML 'pings' or update notices to external web servers. This server and the firewall in front of it have both ingress and egress filtering in place. In other words, the web server is not allowed to contact stuff on the internet all by it's lonesome in case of virus/rootkit infection.

Now there is the quandry. I can't let this machine contact *:80 on the internet. That defeats the purpose of the egress filtering. But, if I can lock it down (kind of like Bind's query-source option) to a predictable IP/port, I can allow the software out, but other *:80 requests form the machine will still be blocked.

I could install tinyproxy in this machine to proxy those requests, but that's overkill when I should be able to specify the LocalIP/LocalPort in LWP.

Comment on Re: Re: LWP and LocalIP/LocalPort

Replies are listed 'Best First'.
Re: Re: Re: LWP and LocalIP/LocalPort by jj808 (Hermit) on Oct 16, 2002 at 04:02 UTC
I can see what you're trying to achieve, but by restricting the outgoing port there will always be a potential for failure. Say for example your outgoing connection for the XML 'pings' was set to always use port 50000 (and it was working :-). You do not have control over the ports that incoming connections to your MT server will be using (i.e. the local ports on computers browsing your site), so there is a chance that an incoming connection could be using port 50000 at the same time as MT was trying to open an outgoing socket. Your XML 'ping' would fail. Would it be secure enough to make a list of the IP addresses you need to XML 'ping' and then allow connections from any local ports (in the range 1024-65535) to port 80 on the specific IP addresses, e.g. 10.0.0.1:80, 10.0.0.2:80 etc? Then your OS can still allocate outgoing port numbers in the usual manner. JJ	[reply]
Re: Re: Re: Re: LWP and LocalIP/LocalPort by jk2addict (Chaplain) on Oct 16, 2002 at 04:12 UTC
These are outgoing only to port 80. All incoming would be going to port 80 on the server itself. They are two seperate process that I don't believe could tramp on each other port wise. For that matter, the ip I would specify for the outoging pings from MT would be different the the IP address where incoming http requests go. Unfortunately, the destination addresses could be any server out there runnin it's own copy of MT.	[reply]