Re: Can't someone choose source port?

To: Elie Rosenblum <fnord@cosanostra.net>
Cc: debian-firewall@lists.debian.org
Subject: Re: Can't someone choose source port?
From: Julien Stern <stern@lri.fr>
Date: Mon, 31 Jan 2000 17:43:12 +0100
Message-id: <[🔎] 20000131174311.A610@lri.fr>
Mail-followup-to: Elie Rosenblum <fnord@cosanostra.net>, debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20000131101853.A3388@cosanostra.net>; from fnord@cosanostra.net on Mon, Jan 31, 2000 at 10:18:53AM -0500
References: <[🔎] 20000131143538.B31323@lri.fr> <[🔎] 20000131101853.A3388@cosanostra.net>

On Mon, Jan 31, 2000 at 10:18:53AM -0500, Elie Rosenblum wrote:
> On Mon, Jan 31, 2000 at 02:35:38PM +0100, Julien Stern wrote:
> > Hi all,
> > 
> > I have the following problem in my firewall setup.
> > 
> > I want to ping and traceroute from the firewall, and I decided
> > to allow DNS lookup from my firewall. (I use my ISP DNSs).
> > 
> > So I added the following rule on the input chain (or more
> > precisely on the input chain from the outside world):
> > 
> > ipchains -A bad-if -p TCP --sport domain -j ACCEPT
> > 
> > I'm wondering if such a rule isn't very dangerous in fact.
> > Suppose that a port (say telnet) is open on the firewall,
> > so that I can telnet from inside, but blocked for the
> > outside world. Isn't it possible to hack a telnet client
> > so that it connects FROM port 53 (domain) to my telnet port?
> > 
> > If so, what should I do? Should I specify that I only allow
> > packet coming from port 53 _and_ from the addresses of
> > my ISP DNSs? Even in this case, I would have to trust these
> > computers. Is there a really bullet-proof setup?
> 
> The 'secure' way to do this is to run BIND on your firewall box, and
> have things in your network only talk to your firewall. You then
> configure BIND on the firewall to behave however you like.
> 
> The other thing you can do is use ! -syn to say that it should only
> allow through packets that claim to be part of an existing connection,
> and disallow all SYN requests to open a new connection. This way the
> boxes inside your network can open a connection to port 53 on boxes
> outside your network, but boxes outside can't open a connection to
> anything inside your network simply by virtue of using source port 53.
>
Thanks a lot for your explanations.
I was actually concerned by someone being able to log on (or even
just probe) the firewall itself by using port 53. My internal network
is private (192.168.) and masqueraded, so (at least if I understand
correctly) even if I allow all packets from port 53 to inside, I should
be safe because I'm using masquerading and that only 'replies' should
be able to go through (right? :) )

I don't feel like running BIND on the firewall for the tiny (SOHO)
network I have, so your ! -syn solution for the firewall box seems
to be just what I need.

Thanks again.
Cheers.
--
Julien Stern

Reply to:

References:
- Can't someone choose source port?
  - From: Julien Stern <stern@lri.fr>
- Re: Can't someone choose source port?
  - From: Elie Rosenblum <fnord@cosanostra.net>

Prev by Date: Re: Can't someone choose source port?
Next by Date: Re: Can't someone choose source port?
Previous by thread: Re: Can't someone choose source port?
Next by thread: Re: Can't someone choose source port?
Index(es):
- Date
- Thread