Great Circle Associates Firewalls
(July 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Faking source address on TCP packets
From: "Rob Tanner" <tanner @ george . arc . nasa . gov>
Date: Thu, 07 Jul 1994 21:46:00 -0700
To: david @ bdt . com (David Beckemeyer)
Cc: firewalls @ greatcircle . com
In-reply-to: Your message of Thu, 07 Jul 1994 23:47:57 +0000. <CsLGrx . HH4 @ bdt . com>

>In article <9407061504 .
 AA04237 @
 whizbang .
 intellistor .
 com>,
>Quentin Johnson <quent .
 johnson @
 intellistor .
 com> wrote:
>>Why not put a router/packet filter between the Internet and the bastion
>>host?  Then you can tell the router to drop packets going to your
>>networks that have your IP addresses since nobody with your IP
>>addresses should be coming through the router from the Internet.

That's a pretty standard practice I would imagine.  Simply set up a
filter for the router that says drop any packet that comes from subnet
such and such.

>This requires a router which supports separate filters for
>incoming and outgoing traffic right?  It's my understanding
>that not all routers have this feature.  Am I wrong?
>

By incoming and outgoing do you mean inbound and outbound to/from the
protected network, or do you in port the packet enters and the port
the packet leaves by.  If the later, I believe you are correct.
However, it's really only an issue if the router has more than 2
ethernet ports.

The problem with more than 2 ports and output side only filtering is
that the port in question (assuming it's on the protected net) won't
know if the packet came from another port on the protected net, or
from the outside.  Hence, there's no way to know whether the packet
should be dropped or passed.  With only 2 ports, there's only one
place that packet could have come from, and what to do with it is
obvious.

Hope that helps.

-- Rob Tanner

      _ _ _ _           _    _ _ _ _ _  
     /\_\_\_\_\        /\_\ /\_\_\_\_\_\  
    /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  Robert J. Tanner
   /\/_/__\/_/ __    /\/_/    /\/_/       Ames Research Center
  /\/_/_/_/_/ /\_\  /\/_/    /\/_/        (415) 604-3451 (SETI)
 /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (415) 604-5347 (Kuiper)
 \/_/  \/_/  \/_/_/_/_/     \/_/          tanner @
 george .
 arc .
 nasa .
 gov
 ____________________________________________________________________


References:
Indexed By Date Previous: Re: producing source routed packets
From: mooks @ csi . gmu . edu (Mark (Mookie))
Next: Re: Quality of packet filtering in Cisco vs. Morning Star
From: Oliver Korfmacher <okorf @ netcs . com>
Indexed By Thread Previous: Re: Faking source address on TCP packets
From: david @ bdt . com (David Beckemeyer)
Next: Re: Faking source address on TCP packets
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>

Google
 
Search Internet Search www.greatcircle.com