+-- On Sep 24, 1:42pm, John Larson wrote:
> >> As far as I'm concerned, the proper filtering is to not pass packets.
> >> That's the way we run. People must ftp stuff onto the firewall, then
> >> off, or log in and telnet out.
> Our experience at Xerox PARC is that one of the weakest links is the
> users poor selection of passwords on the firewall gateway
Our first line of defense is filtering of packets on the router which
connects us to the Internet. We are running a version of NOS ka9q to
route between our ethernet bacbone and the SLIP connection that we
have to the rest of the Internet. I put in a very simple hack to drop
any incoming packets that are addressed to privileged ports, other
than SMTP and NNTP packets. That disallows any incoming telnet, ftp,
login, etc., while allowing all of our users to access any machine
outside of our site from their own machines and without having any
effect on our internal network. We don't have a need for it right now,
but it would be just as easy to have the software let through ftp or
telnet packets with a particular machine destination if we want to
run, say, an anonymous ftp server sometime in the future when we get a
faster connection to the outside.
This seems like a much simpler approach and less restrictive to the
users than the Sun gateway, but it is so simple that I'm afraid that
I'm missing something. Can anyone poke any holes in the method or come
up with advantages to using a gateway?
-- Sidney Markowitz <sidney @