> If you only have two interfaces on your internet router, i.e. to your
> internal network and the other a serial interface to the Internet or
> a LAN interface to an isolated subnet that connects to the Internet,
> then it doesn't matter between filtering input vs. output since the
> input at both ports is output at the other. Filtering input on the
> port that connects to the Internet is the same as filtering output
> at the port that connects to your internal network. The logical
> reverse holds true for output filtering.
(input filtering on port 1 == output filtering on port 2) holds true for all traffic
that is going *through* a 2-port router. It is not true for traffic *to* or *from*
the router, e.g., telnet to the router to configure it, routing protocols, ICMP,
Thus, on a router that implements input filtering, filtering out telnet on port
1 keeps telnet traffic from port 1 from reaching port 2 *and* keeps telnet
traffic from reaching the router. The opposite, filtering telnet traffic from the
output of port 2, does not keep telnet traffic coming in on port 1 from
reaching the router, i.e., you could telnet to the router if the router is
otherwise configured to support it. (Obviously, this can lead to security
holes with the router itself if the person performing the configuring is used
to using the "other" type of filter). I haven't throught this through
completely but I suppose it might leave a small vulnerability to spoofing
attacks aimed at the router itself (e.g., telnet packets blocked going *out*
both ports. What's to keep a guessed TCP sequence from going in to the
router and successfully reconfiguring the router? The telnet response
packets don't go anywhere, so the attacker is working blind, but that's no
different from the Mitnick attacks).
This came up for me in a trivial way when translating some rules to a
Morning Star (input filtering); I meant to have the router respond to pings
but not permit pings to internal hosts other than the bastion. With the input
filter scheme, I had to explicitly open a hole for pings to the router.
Chris Tyler Chris @
Com CTyler @
Systems Development Manager, Wm. De Jong Enterprises Inc.
+1-519-424-9007 / fax +1-519-424-2399