nanog mailing list archives

Re: I don't need no stinking firewall!

From: Jay Hennigan <jay () west net>
Date: Tue, 05 Jan 2010 13:04:01 -0800

Simon Lockhart wrote:

Generally, I just use stateless ACLs when I need additional network level
security. However, they do have one big disadvantage. Say you've got a server
where you want to allow outbound HTTP access to anywhere on the Internet, but
only SSH inbound from your home DSL. To do this, you'd build an inbound ACL
which looks something like:

  - Allow from home DSL IP to server port 22
  - Allow from anywhere port 80 to server


Change the above to:
    - Allow from anywhere port 80 to server port > 1023

Or better:
    - Allow from anywhere port 80 to server port > 1023 established

  - Deny all other traffic.

You need the port 80 rule to allow the return traffic from all those outbound
connections.

Those outbound connections will originate from a random high port, sojust allow those as destination ports on your inbound rule.

However, an enterprising hacker realises that he can create a TCP connection
from port 80 on his own box to port 22 on your server.


Not with the above rules.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay () impulse net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Current thread:

Re: I don't need no stinking firewall!, (continued)
- - - Re: I don't need no stinking firewall! Joe Greco (Jan 06)
    - Re: I don't need no stinking firewall! Ryan Brooks (Jan 05)
    - Re: I don't need no stinking firewall! Valdis . Kletnieks (Jan 06)
    - RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
    - Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
  - Re: I don't need no stinking firewall! William Waites (Jan 06)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
    - Re: I don't need no stinking firewall! juttazalud (Jan 06)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Simon Lockhart (Jan 05)
  - Re: I don't need no stinking firewall! Jay Hennigan (Jan 05)
    - RE: I don't need no stinking firewall! Jason Shearer (Jan 05)
    - Re: I don't need no stinking firewall! Jay Hennigan (Jan 05)
    - Re: I don't need no stinking firewall! Henry Yen (Jan 05)
    - Message not available
    - Re: I don't need no stinking firewall! Jay Hennigan (Jan 07)
    - Re: I don't need no stinking firewall! Henry Yen (Jan 11)
- Re: I don't need no stinking firewall! Tony Finch (Jan 05)
  - Re: I don't need no stinking firewall! Peter Hicks (Jan 05)
    - Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
    - Re: I don't need no stinking firewall! Tony Finch (Jan 05)
  - Re: I don't need no stinking firewall! Mark Smith (Jan 05)

(Thread continues...)