Firewalls: Re: IP Filters?

Firewalls
(July 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IP Filters?
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Sat, 5 Jul 1997 04:56:37 +1000 (EST)
To:	travish @ dejanews . com (Travis Hassloch)
Cc:	pferguso @ cisco . com, Firewalls @ GreatCircle . COM
In-reply-to:	<199707041641 . LAA16103 @ byers . dejanews . com> from "Travis Hassloch" at Jul 4, 97 11:41:11 am

In some mail from Travis Hassloch, sie said:
> 
> It doesn't keep connection state in the packet like TCP does,
> but that doesn't mean a gateway can't.  Besides, if you
> rely on what the TCP flags say you're opening yourself
> up to passive port scans (i.e. scans based on packets with ACK
> set).

Not if you've half a clue about things.  Some vendors are missing
half a clue but.

> >Note: ingress traffic filtering is a concept of filtering
> >traffic leaving your administrative domain so that only
> >traffic which is announced via routing (e.g BGP) is allowed
> >to exit your routing domain. This does nothing to protect
> >you from an attack, but it does disallow downstream users
> >from launching attacks using nonexistent source addresses.
> 
> Is this the multi-network equivalent of blocking outgoing
> packets which don't appear from being part of your internal
> network?

Yes.  Something all routers should do, anyway.

References:

Re: IP Filters?
From: Travis Hassloch <travish @ dejanews . com>

Indexed By Date	Previous:	FW-1's SNMP From: Sergio Bollini <sbollini @ lightech . com . ar>
Indexed By Date	Next:	[no subject] From: "Marc H. Ingle" <elgnim @ primenet . com>
Indexed By Thread	Previous:	Re: IP Filters? From: Travis Hassloch <travish @ dejanews . com>
Indexed By Thread	Next:	RE: IP Filters? From: "Stackpole, Bill" <BSTACKPO @ sla . com>