Hi all!
Currently I am struggling setting up the firewall on my rented debian vserver to let teamspeak connect to the accounting service.
My problem ist the following statement from the knolage base:
In addition to that, packets originating from or sent to accounting.teamspeak.com:2008 (TCP) and weblist.teamspeak.com:2010 (UDP) must not be blocked. The local port for these connections is randomly assigned by the operating system when the connection is established. Please note that we do not guarantee that these DNS names will resolve to the same IP Address at any point in time. These services have changed IP addresses in the past and will continue to do so in the future.
As far as I do understand that I have to set up a rule in my firewall:
"Allow connections to ANY local port from ANY remote IP as long as the remote port is 2008".
This in my opinion ist very, very bad an nearly as unsecure as completely disabling my firewall :mad:
Why ANY local Port?
The local port for these connections is randomly assigned by the operating system when the connection is established
Why ANY remote IP?
These services have changed IP addresses in the past and will continue to do so in the future.
On the net I have read several comments, that you only need to allow incoming conections on 2008 but that is as far as I found out not true.
My firewall is configured to allow any outgoing traffic anyway.
And I had configured a rule "Allow incoming connections to local port 2008 from anywhere".
But it did not work ... TS server ran just fine but it shut down after some time with the message:
Could not connect to accounting server after multiple attempts, shutting down server
And besides my experiment the text from the knowlege base sys something different.
So ... am I interpreting that text from the knowlege base correct or am I missing something important?
How can I set up my firewall in a more secure way but still allowing TS conections to the accounting service?
To be more precise: I am working with iptables.
I have some experience with managing servers but I am not a professional admin.
Above that the ISP does not allow me to edit iptables config directly.
Instead I have to do it with a web-interface that somehow restricts my options (e.g. not allowing the use of domain names as "source" for firewall rules - only IP).
Maby it is possible to achive more security using ESTABLISHED or RELATED flags with that "incoming from port 2008" rule?
Is communication with the accounting service always initiated by my local server?
If any, which flag would be the correct one / working for TS accounting service connectons?
Thanks in advance for any help!
Firewall setup for accounting servics (port 2008)
Currently I am struggling setting up the firewall on my rented debian vserver to let teamspeak connect to the accounting service.
My problem ist the following statement from the knolage base:
Quote:
In addition to that, packets originating from or sent to accounting.teamspeak.com:2008 (TCP) and weblist.teamspeak.com:2010 (UDP) must not be blocked. The local port for these connections is randomly assigned by the operating system when the connection is established. Please note that we do not guarantee that these DNS names will resolve to the same IP Address at any point in time. These services have changed IP addresses in the past and will continue to do so in the future.
"Allow connections to ANY local port from ANY remote IP as long as the remote port is 2008".
This in my opinion ist very, very bad an nearly as unsecure as completely disabling my firewall :mad:
Why ANY local Port?
Quote:
The local port for these connections is randomly assigned by the operating system when the connection is established
Quote:
These services have changed IP addresses in the past and will continue to do so in the future.
My firewall is configured to allow any outgoing traffic anyway.
And I had configured a rule "Allow incoming connections to local port 2008 from anywhere".
But it did not work ... TS server ran just fine but it shut down after some time with the message:
Quote:
Could not connect to accounting server after multiple attempts, shutting down server
So ... am I interpreting that text from the knowlege base correct or am I missing something important?
How can I set up my firewall in a more secure way but still allowing TS conections to the accounting service?
To be more precise: I am working with iptables.
I have some experience with managing servers but I am not a professional admin.
Above that the ISP does not allow me to edit iptables config directly.
Instead I have to do it with a web-interface that somehow restricts my options (e.g. not allowing the use of domain names as "source" for firewall rules - only IP).
Maby it is possible to achive more security using ESTABLISHED or RELATED flags with that "incoming from port 2008" rule?
Is communication with the accounting service always initiated by my local server?
If any, which flag would be the correct one / working for TS accounting service connectons?
Thanks in advance for any help!
0 commentaires:
Enregistrer un commentaire