Firewall Wizards mailing list archives

Re: Comparisons of Firewall-1 vs. PIX

From: Kevin Steves <stevesk () sweden hp com>
Date: Wed, 7 Oct 1998 06:40:02 +0200 (MET DST)

On Wed, 30 Sep 1998, Jean-Christophe Touvet wrote:
:  Even if I can see specific cases where source port filtering is valuable
: (especially when writing filters for stateless devices), I still don't think
: that one should ban a Firewall just because it never lets write rules which
: trust source ports.

That's a good point: yes, source ports are useless for authentication,
but they can be used by a filter writer to sanity check their
understanding of a vendor's protocol spec and to provide some limited
documentation for the next guy that comes along and wants to
understand what the filter does.  For example:

access-list 110 permit tcp host 192.168.1.1 range 8195 8294 192.168.2.0 0.0.0.255 eq 8194
access-list 110 permit udp host 192.168.1.1 eq 48129 192.168.2.0 0.0.0.255 eq 48129

The source comparisons don't add any additional security to these
rules, but they just might help make it more clear what they are for
(hey, isn't that that funny Bloomberg stuff :).

Current thread:

Re: Comparisons of Firewall-1 vs. PIX Chris Hughes (Oct 01)
- <Possible follow-ups>
- Re: Comparisons of Firewall-1 vs. PIX Paul D. Robertson (Oct 01)
  - Re: Comparisons of Firewall-1 vs. PIX Jean-Christophe Touvet (Oct 01)
    - Re: Comparisons of Firewall-1 vs. PIX Kevin Steves (Oct 07)
- Re: Comparisons of Firewall-1 vs. PIX Mark Horn [ Net Ops ] (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Jan . Bervar (Oct 01)
  - Re: Comparisons of Firewall-1 vs. PIX Woody Weaver (Oct 14)