Firewall Wizards mailing list archives
Re: Trust an IP? (IPTables)
From: David Lang <dlang () diginsite com>
Date: Thu, 1 May 2003 02:43:20 -0700 (PDT)
the fundamental problem with the r* tools wasn't trusting an IP address, it was trusting a 'root' source port. if you have anti-spoofing filters on your perimiter then the only risk you run with IP address rules are attacks from the same network. you will have to look at your own situation to decide what's right for it. David Lang On Wed, 30 Apr 2003, Chris de Vidal wrote:
Date: Wed, 30 Apr 2003 09:06:58 -0700 (PDT) From: Chris de Vidal <cdevidal () yahoo com> Reply-To: chris () devidal tv To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Trust an IP? (IPTables) I need to allow a backup server to connect to its port (20031) on a server running IPTables. I recall all of the security risks of trusting an IP (r* tools). Is it safe to allow a specific IP to connect to a specific port through the firewall? Something like this: MY_IP=123.456.789.11 BACKUP_SERVER=123.456.789.10 iptables -A INPUT -s $BACKUP_SERVER -i eth0 --dport \ 20031 -j ACCEPT (Also allow related/established traffic) If someone sniffed that traffic, they might spoof that IP and start probing that port for vulnerabilities. Locking it to the MAC address might be even better, but perhaps even that can be spoofed. That's why I'm asking the pros. So is it safe to trust an IP to connect to one port, ala the old r* tools? If not, what is a good alternative? ===== /dev/idal "GNU/Linux is free freedom" --Me __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Trust an IP? (IPTables) Daniel Linder (May 01)
- RE: Trust an IP? (IPTables) Bojan Zdrnja (May 02)
- <Possible follow-ups>
- Re: Trust an IP? (IPTables) David Lang (May 01)
- Re: Trust an IP? (IPTables) Paul Robertson (May 01)