nanog mailing list archives

RE: I don't need no stinking firewall!

From: Jason Shearer <jshearer () amedisys com>
Date: Tue, 5 Jan 2010 15:08:59 -0600

Doesn't using the established allow any packet with ACK/RST set and wouldn't you have to allow all high ports?

Jason

-----Original Message-----
From: Jay Hennigan [mailto:jay () west net]
Sent: Tuesday, January 05, 2010 3:04 PM
To: nanog () nanog org
Subject: Re: I don't need no stinking firewall!

Simon Lockhart wrote:

Generally, I just use stateless ACLs when I need additional network level
security. However, they do have one big disadvantage. Say you've got a server
where you want to allow outbound HTTP access to anywhere on the Internet, but
only SSH inbound from your home DSL. To do this, you'd build an inbound ACL
which looks something like:

  - Allow from home DSL IP to server port 22
  - Allow from anywhere port 80 to server


Change the above to:
     - Allow from anywhere port 80 to server port > 1023

Or better:
     - Allow from anywhere port 80 to server port > 1023 established

  - Deny all other traffic.

You need the port 80 rule to allow the return traffic from all those outbound
connections.


Those outbound connections will originate from a random high port, so
just allow those as destination ports on your inbound rule.

However, an enterprising hacker realises that he can create a TCP connection
from port 80 on his own box to port 22 on your server.


Not with the above rules.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay () impulse net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV


*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended 
recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice 
that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of 
these materials is expressly prohibited. If you have received this communication in error, please delete this 
information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify 
the sender via e-mail that you have received this communication in error. ***

Current thread:

Re: I don't need no stinking firewall!, (continued)
- - - Re: I don't need no stinking firewall! Ryan Brooks (Jan 05)
    - Re: I don't need no stinking firewall! Valdis . Kletnieks (Jan 06)
    - RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
    - Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
  - Re: I don't need no stinking firewall! William Waites (Jan 06)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
    - Re: I don't need no stinking firewall! juttazalud (Jan 06)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Simon Lockhart (Jan 05)
  - Re: I don't need no stinking firewall! Jay Hennigan (Jan 05)
    - RE: I don't need no stinking firewall! Jason Shearer (Jan 05)
    - Re: I don't need no stinking firewall! Jay Hennigan (Jan 05)
    - Re: I don't need no stinking firewall! Henry Yen (Jan 05)
    - Message not available
    - Re: I don't need no stinking firewall! Jay Hennigan (Jan 07)
    - Re: I don't need no stinking firewall! Henry Yen (Jan 11)
- Re: I don't need no stinking firewall! Tony Finch (Jan 05)
  - Re: I don't need no stinking firewall! Peter Hicks (Jan 05)
    - Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
    - Re: I don't need no stinking firewall! Tony Finch (Jan 05)
  - Re: I don't need no stinking firewall! Mark Smith (Jan 05)
- Message not available
  - Re: I don't need no stinking firewall! William Herrin (Jan 05)

(Thread continues...)