Firewalls: Re: Pings...

Firewalls
(January 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Pings...
From:	jimc @ jts . com
Organization:	JTS Computer Systems Ltd., Toronto, Canada
Date:	Fri, 21 Jan 1994 12:15:16 -0500
To:	gil @ checkpoint . brm . co . il (Gil Shwed)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<9401211203 . AA02162 @ checkpoint . brm . co . il> from "Gil Shwed" at Jan 21, 94 02:03:42 pm
Reply-to:	jimc @ jts . com

Quoting Gil Shwed:
+ 
+ (1) RPC services are on anonymous ports (they are *not* pre-determined),
+     the portmapper (sunrpc, port 111) is used only for the 
+     program-number -> port-number mapping. Scanning is very easy since RPC
+     services usually find themselves on ports just over 1023. RPC/YP scanners
+     like these were used by Internet intruders, and had very successfull
+     results...

Apologies for making any silly assumptions, but hopefully I'll learn
something here.  (After all, this is a forum for learning, isn't it? :-)

For starters, please clarify whether RPC uses TCP, UDP, or both.

This is what I understand:

- Inbound TCP >1023 can be filtered (e.g., on a Cisco) by setting the
  "established" flag;
- FTP has a problem with this, due to the passive open from the server's
  port 20 to some port >1023 on the client;
- Inbound UDP >1023 can be filtered, but then how do certain UDP services
  (DNS springs to mind) get allowed to "complete the call"?  Or, is this
  strictly a feature of TCP?
- TCP/UDP port usage >1023 cannot be predetermined, i.e., you cannot
  force them to use a predetermined range, such as >4096, or?

If RPC services "usually find themselves on ports just over 1023", then
is there a potential conflict between what you need to deny, and what
you need to allow?  That is, can I deny TCP/UDP service up to, say,
port 1060 to protect the RPC side, but not prevent legitimate outbound
connections from being completed?

+ (2) Though NFS is RPC service, it uses port 2049 on standard systems.

Thanks for this one.  I was wondering about that.  That hole is now plugged.

Also, is there a list of "vunerable" ports >1023 (other than this one) that
one should be paranoid about?  (I hate asking this, as I realize that there
will be some concern about giving potential crackers a shopping list....)

+ 
+ -- Gil Shwed
+ -- CheckPoint Software Technologies
+ 


-- 
Jim Carroll  | JTS Computer Systems Ltd. | The ongoing struggle of
jimc @
 jts .
 com | Toronto, Ontario          | Prometheus vs. Epimetheus....

References:

Re: Pings...
From: gil @ checkpoint . brm . co . il (Gil Shwed)

Indexed By Date	Previous:	Re: schizoprenic dns From: Tom Fitzgerald <fitz @ wang . com>
Indexed By Date	Next:	Re: double reverse lookup From: jmm @ Elegant . COM (John Macdonald)
Indexed By Thread	Previous:	Re: Pings... From: gil @ checkpoint . brm . co . il (Gil Shwed)
Indexed By Thread	Next:	Re: Pings... From: gil @ checkpoint . brm . co . il (Gil Shwed)