Re: Misconfigured firewalls

[Lance Spitzner <lance () ksni net>]

On Thu, 9 Dec 1999, TC Wolsey wrote:

> A couple of points, mostly FW-1 specific:
>
> You have left outgoing services enabled in the properties as Last, but block outgoing in the rulebase with rule 11. 

Don't forget, the last rule is only blocking inbound (inbound to the interface,
similar to Cisco IOS ACLs), just like rules 1-10.  If I installed the rulebase 
on a specific system, then inspection would be both ways.

> You are rejecting ident and NBT destined for the FW, shouldn't you be sending RSTs for ident destined for the 
> mailserver?

I should probably add that rule too.  However, you would be surprised how many
idents the firewall gets do to dynamic NAT.

> Is the sample policy of allowing any access out from the internal network the best choice of reference for possibly 
> inexperienced admins? I think that a sample that allowed only DNS queries from the internal DNS server and HTTP and 
> FTP services from a proxy server might steer them down a better path. I know that the example policy in your 
> publication reflects what some organizations elect to do, but I would not like to see that type of policy encouraged 
> if at all possible. 

Great question.  Check up on that rule again, I go into far better detail
describing why I did what I did, and I detail what you describe above. If
you think I am still failing on that rule, let me know!

http://www.enteract.com/~lspitz/rules/rule1.html

Thanks!

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html