[120869] in North American Network Operators' Group
RE: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Jason Shearer)
Tue Jan 5 16:15:51 2010
From: Jason Shearer <jshearer@amedisys.com>
To: Jay Hennigan <jay@west.net>,
"nanog@nanog.org" <nanog@nanog.org>
Date: Tue, 5 Jan 2010 15:08:59 -0600
In-Reply-To: <4B43A941.1050209@west.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Doesn't using the established allow any packet with ACK/RST set and wouldn'=
t you have to allow all high ports?
Jason
-----Original Message-----
From: Jay Hennigan [mailto:jay@west.net]
Sent: Tuesday, January 05, 2010 3:04 PM
To: nanog@nanog.org
Subject: Re: I don't need no stinking firewall!
Simon Lockhart wrote:
> Generally, I just use stateless ACLs when I need additional network level
> security. However, they do have one big disadvantage. Say you've got a se=
rver
> where you want to allow outbound HTTP access to anywhere on the Internet,=
but
> only SSH inbound from your home DSL. To do this, you'd build an inbound A=
CL
> which looks something like:
>
> - Allow from home DSL IP to server port 22
> - Allow from anywhere port 80 to server
Change the above to:
- Allow from anywhere port 80 to server port > 1023
Or better:
- Allow from anywhere port 80 to server port > 1023 established
> - Deny all other traffic.
>
> You need the port 80 rule to allow the return traffic from all those outb=
ound
> connections.
Those outbound connections will originate from a random high port, so
just allow those as destination ports on your inbound rule.
> However, an enterprising hacker realises that he can create a TCP connect=
ion
> from port 80 on his own box to port 22 on your server.
Not with the above rules.
--
Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
*** NOTICE--The attached communication contains privileged and confidential=
information. If you are not the intended recipient, DO NOT read, copy, or =
disseminate this communication. Non-intended recipients are hereby placed o=
n notice that any unauthorized disclosure, duplication, distribution, or ta=
king of any action in reliance on the contents of these materials is expres=
sly prohibited. If you have received this communication in error, please de=
lete this information in its entirety and contact the Amedisys Privacy Hotl=
ine at 1-866-518-6684. Also, please immediately notify the sender via e-mai=
l that you have received this communication in error. ***
