Great Circle Associates Firewalls
(September 1992)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: none + some VS all - some
From: Amos Shapira <amoss @ cs . huji . ac . il>
Date: Fri, 25 Sep 92 13:46:31 +0200
To: firewalls @ GreatCircle . COM
In-reply-to: Your message of Thu, 24 Sep 92 16:45:21 PDT . <9209242345 . AA11944 @ gorn . hal . com>

In message <9209242345 .
 AA11944 @
 gorn .
 hal .
 com> jonl @
 hal .
 com (frederick smythe,
esquire)  writes:
|proxy type service.  my plan was to allow all incoming connections - 
|connects to ports < 1024 OR a specific list of other dangerous-type
|ports (like the X server).  i'm aware that this means that someone can
|run their own program from inside which could be a major security problem,
|but since i haven't had time to convert our firewall machine to a config
|which doesn't let all the users have login access, that is already the case.
|my main questions i have right now are...

[ deleted ]
|2) are there any other issues which i may not be aware of?

I think you might be interested in the "established" parameter in the extended
access-list provided by Cisco.  This will allow you to initiate any TCP
connections to outside, and let the outside machine respond to the connection,
but will not allow outside machines to initiate a TCP connection.  This is
how I plan to install the firewall here.

I'm aware that this is not 100% ideal (one drawback which immidietly comes to
mind is having an outside machine spoofing an outbound connection and start to
pretend it's answering it instead of the real addressee,  I guess Kerberose
can block such an attack but this is not a firewall issue), but it must be
much better than being completly open to thw world (and also I don't believe
any student/kido-level cracker will invest so much in infliterating to a

Any opinions about impruvments in this direction are welcome (but one corner
stone of our firewall is that it shouldn't require any special software for
normal operation, we hate replacing vendor-supplied software by localy-
writen specialized software which has to be updated every once in a while).


--Amos Shapira

CS System Group, Hebrew University, Jerusalem, Israel
amoss @
 cs .
 huji .
 ac .

Indexed By Date Previous: [no subject]
From: uucp @ wattres . SJ . CA . US (UUCP administrator)
Next: SUMMARY: internet addresses
From: lindy @ olsen . ch (Lindy Foster)
Indexed By Thread Previous: none + some VS all - some
From: jonl @ hal . com (frederick smythe, esquire)
Next: Re: none + some VS all - some
From: sidney @ borland . com (Sidney Markowitz)

Search Internet Search