Re: Trust an IP? (IPTables)

[David Lang <dlang () diginsite com>]

the fundamental problem with the r* tools wasn't trusting an IP address,
it was trusting a 'root' source port.

if you have anti-spoofing filters on your perimiter then the only risk you
run with IP address rules are attacks from the same network. you will have
to look at your own situation to decide what's right for it.

David Lang


 On Wed, 30 Apr 2003, Chris de Vidal wrote:

> Date: Wed, 30 Apr 2003 09:06:58 -0700 (PDT)
> From: Chris de Vidal <cdevidal () yahoo com>
> Reply-To: chris () devidal tv
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] Trust an IP? (IPTables)
>
> I need to allow a backup server to connect to its port
> (20031) on a server running IPTables.  I recall all of
> the security risks of trusting an IP (r* tools).  Is
> it safe to allow a specific IP to connect to a
> specific port through the firewall?  Something like
> this:
> MY_IP=123.456.789.11
> BACKUP_SERVER=123.456.789.10
> iptables -A INPUT -s $BACKUP_SERVER -i eth0 --dport \
> 20031 -j ACCEPT
> (Also allow related/established traffic)
>
> If someone sniffed that traffic, they might spoof that
> IP and start probing that port for vulnerabilities.
>
> Locking it to the MAC address might be even better,
> but perhaps even that can be spoofed.  That's why I'm
> asking the pros.
>
> So is it safe to trust an IP to connect to one port,
> ala the old r* tools?  If not, what is a good alternative?
>
> =====
> /dev/idal
> "GNU/Linux is free freedom" --Me
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards