Firewalls: Packet filters vs other forms of firewalls

Firewalls
(September 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Packet filters vs other forms of firewalls
From:	David Kovar <kovar @ NDA . COM>
Date:	Thu, 29 Sep 1994 19:05:59 -0400 (EDT)
To:	firewalls @ GreatCircle . COM

  A colleague is advocating using packet filters for security and is
interested in knowing what benefit he'll get from going to a full(er)
firewall configuration. I've enclosed an example filter configuration
and am interested in knowing what holes it might leave that would be
closed by another approach. The assumption here is that the services
behind the openings in the filter are secure, which isn't a reasonable
assumption.

  If we ran with this filter, what problems might we expect to
encounter?

-David

	permit all outgoing packets, icmp, udp, tcp or whatever.
	permit incoming udp packets on port 53 (DNS)
	deny all incoming icmp or udp packets.
	permit all incoming packets for already established TCP connections
	deny incoming TCP packets for X11 and NFS (I think 3000,3001,3002,
	    6000,6001,6002)
	permit incoming TCP connections for ports > 1023 *** Perhaps a problem
	permit incoming TCP connections for ports:
		53 (DNS)
		25 (SMTP) to mailhost

	Maybe turn on 80 (http), 119 (nntp),
	    and for really daring sites 23 (telnet), 21 (ftp), and 20 (ftp-data)

	deny all incoming TCP connections

Indexed By Date	Previous:	Re: Non-registered access From: Alex Chartier <a5charti @ ashley . business . uwo . ca>
Indexed By Date	Next:	Re: syslogd on hpux From: Michael Haberler <mah @ ic . co . at>
Indexed By Thread	Previous:	Newbie firewall question. From: "Save a tree: kill an ISO Working Group." <DOUGM @ delphi . com>
Indexed By Thread	Next:	Re: Packet filters vs other forms of firewalls From: ddrew @ Tymnet . COM (Dale Drew)