Firewall rules

Richard Underwood richard@aspectgroup.co.uk
Mon Sep 13 14:22:57 UTC 2004


Alex wrote:
> My firewall rule (not ipchains or Cisco IOS), says the 
> direction of udp packets is send-receive.  I can also define 
> receive-send or both directions.  Does it sound reasonable 
> that send-receive direction would not allow someone to bind 
> to port 6277 and then connect to port 3306?

	I'm afraid without knowing details of your firewall, I can't help
you here.

Vernon wrote:
> The same considerations apply to DNS.  What do you firewall 
> rules say about port 53?  If you block responses from distant 
> port 53 to your local anonymous ports, can you still resolve 
> external domain names? (If you have a local caching server, 
> you'd want to test blocking its traffic, since your local 
> resolvers should be talking to it.)
> 
	Yes - there's exactly the same problem with port 53. No difference.
If you allow UDP packets inbound based solely upon the source port, you are
opening yourself up to risk. In the past I have been involved with security
audits and this is a problem more often than you'd believe.

> Unless your firewall is smart enough to know that a 
> legitimate incoming UDP packet from a distant port 6277 to a 
> local port must always be preceded by an outgoing packet from 
> that same local port to port 6277 at that same distant IP 
> address within 30 seconds, I don't see how to address the worry.

	This is exactly what stateful firewalls do (and indeed some
"stateless" firewalls that perform many-to-one NAT [PAT in Cisco terms] do
because of their NAT/PAT tables). An outgoing packet effectively creates a
small hole in the inbound access list.

	I believe IOS will do this, but I think that you need the "Firewall"
version of IOS.

	I'm not saying there's a solution, although it could be argued that
a router with ordinary IOS access lists shouldn't be used as a firewall. 

> What wording do you suggest?
> 
	Umm! How about adding something like this just before "Please use
this document at your own risk."

"Filtering inbound traffic by source port may allow undesirable traffic onto
your network. Where possible, stateful firewalling should be used."

		Richard



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.