Ok, here is a question that will show my ignorance of firewall-related
issues, but the answers will help me a great deal.
I'm trying to set up a connection which comes in on a leased line, and
hooks up to a Morningstar Express router. The router is also connected
to our local ethernet. We would like to reject all incoming login,
ftp, X11, etc. connections, except for SMTP and DNS. We would like to
allow all outgoing connections.
The packet filtering rules are as follows (a very similar setup is
described in the Morningstar manual):
For incoming packets (leased-line to ethernet):
Reject source route packets
Reject any packets claiming to be from our net
Allow DNS secondary dumps if they actually talk to the DNS
server on our end
Allow SMTP if it actually connects to our mail server.
Reject FTP connections
Allow FTP data streams
Reject X11 connections
Reject login, shell, supdup, exec, uucp, chargen,
finger, telnet connections
Allow connections to TCP ports 1024 and up that are not
already mentioned
Reject all connections (UDP or TCP) to ports that are not
already mentioned
For outgoing packets (ethernet to leased-line):
Reject any packets destined for our net
This seems pretty simple, so I must be missing something. Would some
kind person explain the gaping holes or ridiculous restrictions there
would be if I were to set it up this way? Also, are there any known
Morningstar problems (either security or performance)? Please send
email to me and I'll summarize responses to the list to reduce
redundant messages.
Thanks,
Brett
--
Brett Kuehner
bvk @
mktdata .
com
Follow-Ups:
|
|
