Re: Allowing SSL connections through Linux firewall

[Bennett Todd <bet () rahul net>]

2000-04-19-02:02:23 Art Mason:
> I've set up a Linux box for a client of mine running NAT/IP
> Masquerading (ipchains) and SMTP (postfix).

Good stuff. I did that recently myself, really like the results.

> All seems to be going well, except for the fact that when
> accessing an online banking account which initiates an SSL
> transaction, the connection just sits there and times out.

That phraseology was a little odd. Do you simply mean making an SSL
connection for an https URL from the client? Or do you mean that the
backing server tries to initiate an SSL connection of some sort back
to the client? If the latter, then that is not standard
http-over-SSL, that something peculiar to them, and you'll need to
figure out what.

A normal https connection is just an outbound TCP connection on port
443, and it Masqs just fine, nothing special needed. Right after I
set up the aforementioned firewall I hooked my laptop to the RFC
1918 net on the inside, and shortly thereafter did an https, so I
know this from recent experience:-).

If the bank is trying to make some connection back to the client
(presumably for a custom PC banking app they have, this wouldn't be
anything in a standard browser) then you might be able to find the
port they're trying to connect to in the firewall box's logs. Make
sure you set up the firewall with ipchains configured to deny and
log everything from the internet except the protocols you really
want to accept, that makes it easy to figure these kinds of problems
out.

-Bennett

Attachment: _bin
Description: