Re: Can't someone choose source port?
On Mon, Jan 31, 2000 at 02:35:38PM +0100, Julien Stern wrote:
> Hi all,
>
> I have the following problem in my firewall setup.
>
> I want to ping and traceroute from the firewall, and I decided
> to allow DNS lookup from my firewall. (I use my ISP DNSs).
>
> So I added the following rule on the input chain (or more
> precisely on the input chain from the outside world):
>
> ipchains -A bad-if -p TCP --sport domain -j ACCEPT
>
> I'm wondering if such a rule isn't very dangerous in fact.
> Suppose that a port (say telnet) is open on the firewall,
> so that I can telnet from inside, but blocked for the
> outside world. Isn't it possible to hack a telnet client
> so that it connects FROM port 53 (domain) to my telnet port?
>
> If so, what should I do? Should I specify that I only allow
> packet coming from port 53 _and_ from the addresses of
> my ISP DNSs? Even in this case, I would have to trust these
> computers. Is there a really bullet-proof setup?
The 'secure' way to do this is to run BIND on your firewall box, and
have things in your network only talk to your firewall. You then
configure BIND on the firewall to behave however you like.
The other thing you can do is use ! -syn to say that it should only
allow through packets that claim to be part of an existing connection,
and disallow all SYN requests to open a new connection. This way the
boxes inside your network can open a connection to port 53 on boxes
outside your network, but boxes outside can't open a connection to
anything inside your network simply by virtue of using source port 53.
--
Elie Rosenblum That is not dead which can eternal lie,
http://www.cosanostra.net And with strange aeons even death may die.
Admin / Mercenary / System Programmer - _The Necronomicon_
Reply to: