Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: terminal services

From: "Reckhard, Tobias" <tobias.reckhard () secunet com>
Date: Wed, 29 Jan 2003 08:26:20 +0100
Barney Wolff <barney () pit databus com> wrote on January 29, 2003 1:36 AM:

Any network without a state-keeping firewall between it and 
the Internet
really needs to have just one or two DNS cacheing proxies 
doing requests
from port 53, ditto NTP, and block all other UDP.  Anything 
else is just
too dangerous, not by a little, but by a whole lot.


Source ports are worth pretty much zilch when filtering TCP or UDP. It's not
a good security decision to design a filter that attempts to allow (only)
outbound DNS queries based on outbound packets having source port 53 and
inbound packet having destination port 53. Rather, the source port (in the
outbound direction) should be able to be pretty much anything, while the
destination port is the one that needs to be checked. Same for NTP or any
other service.

There are protocols that use fixed client as well as server ports. IKE
appears to be one of them (but DNS and NTP definitely aren't). You can
configure your packet filter, stateful or not, more restrictively by
restricting the source ports used. It may buy you some added security. Most
of the time, that won't be much, though.

Cheers,
Tobias
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: