Re: Gauntlet Rule Interpretation

["Marcus J. Ranum" <mjr () nfr com>]

Johann van Duyn wrote:
> I am arguing with our network manager regarding the interpretation of
> Gauntlet (on BSD Unix) rulesets. My knowledge of Gauntlet is not very deep,
> but I can read, and I am sure that I am interpreting the rules correctly.

I'm not sure if I can accurately answer your question(s) because my
knowledge of Gauntlet is rather dated but I used to be pretty familiar
with that product...

> The ruleset says NOTHING specific about SNMP traffic, either by proxy name
> or by port number.

Right. The original Gauntlet didn't recognize the existence of SNMP at all.
It's such a disastrously bad protocol, from a security standpoint, that the
original designers of Gauntlet never thought anyone would want to let it
through a firewall at all! :)

> However, some of our rules look like this:
>
>         authenIP: permit-forward -if ef1 -proto * -srcaddr
> a.b.c.d:255.255.255.255 -dstaddr w.x.y.z:255.255.255.255 -srcport *
> -dstport *
>         authenIP: permit-forward -if exp0 -proto * -dstaddr
> a.b.c.d:255.255.255.255 -srcaddr w.x.y.z:255.255.255.255 -dstport *
> -srcport *
>
> Surely such a rule would let SNMP traffic from a.b.c.d to w.x.y.z and
> vice-versa? Or am I missing something here?

Yeah, it looks like that, but I think that's the VPN layer stuff. AuthenIP is
authenticated; so it's acting as a tunnel for that traffic but I don't think it
will let through random Internet traffic including SNMP.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards