John Hasselkus <johnh @
fbsw .
tt .
com> wrote:
| OK, so we've seen there all kinds of holes in simply filtering ports 1-24,
| 26-1023, so what _is_ the proper way to configure a router when acting as
| as part of a firewall.
Q. How do I configure my packet filter?
A. Drop all incoming traffic except the ports you need. Examples include:
- SMTP (25/tcp) to your mail receiver(s)
- Nameserver traffic (53/udp) and zone transfers (53/tcp)
- Network Time protocol traffic (123/udp, 123/tcp) if you care about this.
- NNTP (119/tcp) if you care about this. Configure your nntpd to only
accept xfer connections from your feeds, to provide the Internet a minimal
level of protection against news forgery :-)
- you may want a few other services -- eg. dirsrv (1525/udp) for the
Prospero Archie client, but be careful. This applies to any services you
want to enable. Log those services with a TCP wrapper package.
Never allow random UDP in, especially NFS, YP and other RPC services.
This was the easy part. The next step depends on whether you have a "bastion
host" (see the firewall docs on ftp.greatcircle.com) and how much access to
the Internet you wish to give your users. If you have bastion host and are
using proxy commands to go through that host for Internet access, then
you're ok. (well, you'll have a different set of problems, but they don't
have to do with the router -- you now get to deal with every new protocol
and client and make it deal with the proxy). If you don't have a bastion
host and are just relying on the router to provide security:
Problem 1. TCP connections are bidirectional, obviously -- your firewall as
configured above will drop all incoming packets, making TCP sessions
impossible. Your users cannot telnet out, for example. (You may well
consider this a feature)
If you want your users to be able to make TCP connections to the outside
world, then you have to let in incoming TCP packets to ports > 1024 EXCEPT
those that have the SYN bit set. (the > 1024 is a Unix restriction, by the
way) See <9401141600 .
AA07913 @
mycroft .
GreatCircle .
COM> in the archives for
Steve Bellovin's explanation on this, or follow his recommendation and get
Richard Stevens' new book ``TCP/IP Illustrated''. If your firewall doesn't
let you drop SYN packets,
let in everything above 1024 except for things like X, OpenWindows,
Annexes, SQL/database servers, etc (tedious, time-consuming process
that requires you to make sure you know every port that's being
listened on in any internal host or network appliance on your net),
or
fix all your external applications to bind to a specific range of
ports and only let those in, making sure you don't have any daemons
listening in that range!
Problem 2. ftp requires that the remote host open a connection to the local
host on a dynamically allocated port for the returned data. (There is a
statically allocated ftp-data port, but it's a bit of a nuisance to use it
-- only one user can use ftp at a time on a given machine, and there's a
delay of at least a minute between transfers).
There's stuff in the archives about this, specifically a PASV mode patches
for both ftp and ftpd, there are proxy ftp (and other client) toolkits.
Recommended reading from the archives:
<199311010132 .
AA13782 @
quack .
kfu .
com> Nick Sayer <mrapple @
quack .
kfu .
com>
<9311102206 .
AA12182 @
futureworld .
advtech .
uswest .
com> Brad Huntting <huntting @
advtech .
uswest .
com>
<9312151417 .
AA14556 @
mycroft .
GreatCircle .
COM> smb @
research .
att .
com
<9312151615 .
AA15097 @
mycroft .
GreatCircle .
COM> Brent Chapman <brent @
greatcircle .
com>
<199312261647 .
AA12599 @
quack .
kfu .
com> Nick Sayer <nsayer @
quack .
kfu .
com>
<9401191640 .
AA13454 @
arian .
universe> hsafai @
esri .
com (Houman Safai )
<9401200953 .
AA03582 @
tadpole .
tadpole .
com> jim @
Tadpole .
COM (Jim Thompson)
<9401141600 .
AA07913 @
mycroft .
GreatCircle .
COM> smb @
research .
att .
com
Mark.
|
|
