David Kovar writes:
> From: David Kovar <kovar @
NDA .
COM>
> Subject: Packet filters vs other forms of firewalls
> To: firewalls @
greatcircle .
com
> Date: Thu, 29 Sep 1994 19:05:59 -0400 (EDT)
much deleted...
> If we ran with this filter, what problems might we expect to
> encounter?
>
> -David
>
> permit all outgoing packets, icmp, udp, tcp or whatever.
> permit incoming udp packets on port 53 (DNS)
> deny all incoming icmp or udp packets.
> permit all incoming packets for already established TCP connections
> deny incoming TCP packets for X11 and NFS (I think 3000,3001,3002,
> 6000,6001,6002)
Humm, I believe NFS typically uses port 2049, and you might need to
deny 6000 thru some higher number than 6002 (if you anticipate more
than 3 Xwindow sessions). How about port 2000, anyone in your shop
using Openwin? I recommend reviewing appendix B in 'Firewalls and
Internet Security' by Bill Cheswick.
> permit incoming TCP connections for ports > 1023 *** Perhaps a problem
> permit incoming TCP connections for ports:
> 53 (DNS)
> 25 (SMTP) to mailhost
>
> Maybe turn on 80 (http), 119 (nntp),
> and for really daring sites 23 (telnet), 21 (ftp), and 20 (ftp-data)
I would seriously consider some kind of password encryption for the
telnet connection, and setup some kind of an anon-ftp OUTSIDE of your
packet-filter firewall.
> deny all incoming TCP connections
Cheers... tom
--
Tom Brink tom @
dot .
state .
az .
us
Technical Support Specialist
Technical Research Center
Information Services Group
Arizona Department of Transportation
|
|
