Re: spf and masquerading
On Sat, 01.04.00 11:57 +0200, Michael Meskes wrote:
> > a) Statefull packet filtering would be quite senseless
> > if I applied it to a masquerading server because that would not allow
> > connections to hosts other than the firewall (exept I explicit programm
> > them). Right or wrong?
> Wrong. spf does monitor the outgoing packets and install a backward rule.
A host behind a masquerading gateway wouldn't be reachable if not the
gateway monitors outgoing packats and installs a backward rule, too,
although here it maps a local (gateway) port to an intern address+port.
> It does not matter if the router is masquearding.
In this case the masquerading software does something similar as the
> > b) On a normal host, spf is only good to avoid opening all ports above
> > 1023, right? But in case I deny connections (SYN-Flag) to those ports,
> > will it bring me any advantage?
> Sorry, I do not understand that question. Where's the connection between spf
> and the user port range. With ipchains you can only stop packets with SYN
> flag set. How about packets with SYN flag unset? And how about udp and icmp?
What harm can a packet without SYN flag have? AFAIK it can only fiddle
around with the ip-stack implementation - which has to be stable anyways.
ok, no syn flag here (but it's normally only used for DNS...)
what use does spf bring here? If you want to secure you host you deny
everything but echo/echo reply, dest unreachable, source quench, redirect
and time exceeded. Apart from the first on (->ping) you can't have any
> Also I wonder why spf cannot help you with port < 1024.
I thought that spf is mainly used for protecting against *incoming*
packets. Here you can deny everything below 1024 except for the few
services you need. Then the only way of attacking could be spoofed packets
that do not belong to any real connection. But there packages should be
discarded by the normal IP stack, too.
Linux - the choice of the GNU generation. Join the Debian Project
Christian Hammers * Oberer Heidweg 35 * D-52477 Alsdorf * Tel: 02404-25624
50 3C 52 26 3E 52 E7 20 D2 A1 F5 16 C4 C9 D4 D3 1024/925BCB55 1997/11/01