nanog mailing list archives
Re: I don't need no stinking firewall!
From: Henry Yen <henry () AegisInfoSys com>
Date: Tue, 5 Jan 2010 16:55:22 -0500
On Tue, Jan 05, 2010 at 13:18:47PM -0800, Jay Hennigan wrote:
Jason Shearer wrote:Doesn't using the established allow any packet with ACK/RST setYes, as would be expected for legitimate return traffic for a TCP connection initiated from a browser inside the firewall.and wouldn't you have to allow all high ports?That's what the ">" is for. Cisco syntax "gt" (greater than).
One could also use reflexive access lists, which are much better than static lists, although that takes you back to stateful. It is possible to combine them both to achieve a mostly stateless setup while still having better overall security.
The point is that either of these will deny unsolicited new connection attempts from the outside to TCP 22 (and 445, 135, etc.)
-- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York (800) 234-4700
Current thread:
- RE: I don't need no stinking firewall!, (continued)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
- Re: I don't need no stinking firewall! William Waites (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! juttazalud (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Jay Hennigan (Jan 05)
- RE: I don't need no stinking firewall! Jason Shearer (Jan 05)
- Re: I don't need no stinking firewall! Jay Hennigan (Jan 05)
- Re: I don't need no stinking firewall! Henry Yen (Jan 05)
- Re: I don't need no stinking firewall! Peter Hicks (Jan 05)
- Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
- Re: I don't need no stinking firewall! Tony Finch (Jan 05)
- Re: I don't need no stinking firewall! Mark Smith (Jan 05)
- Re: I don't need no stinking firewall! William Herrin (Jan 05)
- Re: I don't need no stinking firewall! Sean Donelan (Jan 05)