[120879] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Henry Yen)
Tue Jan 5 16:56:31 2010
Date: Tue, 5 Jan 2010 16:55:22 -0500
From: Henry Yen <henry@AegisInfoSys.com>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <4B43ACB7.6040603@west.net>;
from Jay Hennigan on Tue, Jan 05, 2010 at 13:18:47PM -0800
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Jan 05, 2010 at 13:18:47PM -0800, Jay Hennigan wrote:
> Jason Shearer wrote:
> > Doesn't using the established allow any packet with ACK/RST set
>
> Yes, as would be expected for legitimate return traffic for a TCP
> connection initiated from a browser inside the firewall.
>
> > and wouldn't you have to allow all high ports?
>
> That's what the ">" is for. Cisco syntax "gt" (greater than).
One could also use reflexive access lists, which are much better
than static lists, although that takes you back to stateful.
It is possible to combine them both to achieve a mostly stateless
setup while still having better overall security.
> The point is that either of these will deny unsolicited new connection
> attempts from the outside to TCP 22 (and 445, 135, etc.)
--
Henry Yen Aegis Information Systems, Inc.
Senior Systems Programmer Hicksville, New York
(800) 234-4700
