Firewall Wizards mailing list archives
Re: Cisco 2621 opinions
From: "Charles W. Swiger" <chuck () codefab com>
Date: Mon, 15 Jul 2002 17:49:48 -0400
On Monday, July 15, 2002, at 12:40 PM, Nick Drage wrote:
On Sat, Jul 13, 2002 at 03:53:24PM -0400, John Adams wrote:On Sat, 13 Jul 2002, joe macdonald wrote:
[ ... ]
Personally, I'd build a linux box and put it in place with ipfw. "iptables" surely?
There was a time when IPFW couldn't do dynamic state; but for what it's worth (*), it has that capability now. From 'man ipfw' under FreeBSD_4.6-STABLE:
"If the ruleset includes one or more rules with the keep-state or limit option, then ipfw assumes a stateful behaviour, i.e. upon a match it will create dynamic rules matching the exact parameters (addresses and ports)
of the matching packet.
These dynamic rules, which have a limited lifetime, are checked at the
first occurrence of a check-state or keep-state rule, and are
typically
used to open the firewall on-demand to legitimate traffic only. See
the
RULE FORMAT and EXAMPLES sections below for more information on the
stateful behaviour of ipfw."
--------
(*): Let me note that the whole intent of dynamic filtering is to permit
return connections only in response to internal requests, and it presumes
that such connections are somehow "safer". I'm not so confident about
that assumption as some people seem to be.
Frankly, I'd prefer to use static rules with aggressive ingress and egress filtering, which also avoids the DoS potential involved with overflowing the number of dynamic connections permitted by a given system, thus causing the stateful firewall to lose track of older legitimate connections.
Excluding TCP sequence-# based attacks, a static rule forbidding new external connections (ie, with the SYN bit set and ACK clear) to any but explicitly permitted services gives you about the same level of security without the overhead of dynamic firewall rules. YMMV, but in practice it seems to be fairly hard to perform a man-in-the-middle attack when you can' t see any of the internal traffic, source routing is blocked, and internal addresses aren't permitted inbound (ie, anti-spoofing).
[ Besides, most of the servers I deal with support RFC-1918 sequence # generation. ]
-ChuckChuck Swiger | chuck () codefab com | All your packets are belong to us. -------------+-------------------+-----------------------------------
"The human race's favorite method for being in control of the facts
is to ignore them." -Celia Green
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco 2621 opinions joe macdonald (Jul 13)
- Re: Cisco 2621 opinions John Adams (Jul 13)
- Re: Cisco 2621 opinions Nick Drage (Jul 15)
- Re: Cisco 2621 opinions Charles W. Swiger (Jul 15)
- Re: Cisco 2621 opinions Patrick M. Hausen (Jul 16)
- Re: Cisco 2621 opinions Nick Drage (Jul 15)
- Re: Cisco 2621 opinions John Adams (Jul 13)
- Re: Cisco 2621 opinions Patrick Darden (Jul 15)
- <Possible follow-ups>
- RE: Cisco 2621 opinions Henry Sieff (Jul 13)
- RE: Cisco 2621 opinions Kent, Ashley (Jul 15)
- RE: Cisco 2621 opinions Brian Ford (Jul 15)
- RE: Cisco 2621 opinions Iannaccone, Al (Jul 15)
- Re: Cisco 2621 opinions Patrick Darden (Jul 15)
- Re: Cisco 2621 opinions Brian Ford (Jul 16)
- Re: Cisco 2621 opinions Patrick Darden (Jul 16)
- Re: Cisco 2621 opinions Carson Gaspar (Jul 16)