Firewall rules

Bob George mailings02@ttlexceeded.com
Wed Sep 15 23:59:12 UTC 2004


Vernon Schryver wrote:

> [...] What wording do you suggest?

I do a fair amount of security work, and count on routinely finding 
routers configured similarly to illustrate weaknesses. Might I suggest 
that you not bother saying HOW to secure the user's firewall, but rather 
focus on accurately describing WHAT needs to be allowed through: "Allow 
udp FROM port <whatever) on the client to port <whatever> on the 
server." Leave it up to the user to figure out how to do it with their 
specific firewall, or ask help from someone who understands it. That 
probably frees you from the entire liability concern in the 1st place.

Anyone reasonably adept at configuring a firewall won't need any more 
information, and if the return ports are the same (reversed source-dest 
ports) from those sent, most modern firewall products should have no 
problems. Please DO NOT recommend "drilling holes" through the firewall 
to support a specific application!

As a matter of trivia: Cisco does provide reflexive access lists and 
context-based access control features to handle these concerns, but 
they're not universal to all versions of IOS on all platforms.

- Bob



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.