Can't someone choose source port?

To: debian-firewall@lists.debian.org
Subject: Can't someone choose source port?
From: Julien Stern <stern@lri.fr>
Date: Mon, 31 Jan 2000 14:35:38 +0100
Message-id: <[🔎] 20000131143538.B31323@lri.fr>
Mail-followup-to: debian-firewall@lists.debian.org

Hi all,

I have the following problem in my firewall setup.

I want to ping and traceroute from the firewall, and I decided
to allow DNS lookup from my firewall. (I use my ISP DNSs).

So I added the following rule on the input chain (or more
precisely on the input chain from the outside world):

ipchains -A bad-if -p TCP --sport domain -j ACCEPT

I'm wondering if such a rule isn't very dangerous in fact.
Suppose that a port (say telnet) is open on the firewall,
so that I can telnet from inside, but blocked for the
outside world. Isn't it possible to hack a telnet client
so that it connects FROM port 53 (domain) to my telnet port?

If so, what should I do? Should I specify that I only allow
packet coming from port 53 _and_ from the addresses of
my ISP DNSs? Even in this case, I would have to trust these
computers. Is there a really bullet-proof setup?

Thanks for your time.
Sincerely.
Julien Stern

Reply to:

Follow-Ups:
- Re: Can't someone choose source port?
  - From: Elie Rosenblum <fnord@cosanostra.net>
- Re: Can't someone choose source port?
  - From: Michael Meskes <meskes@debian.org>
- Re: Can't someone choose source port?
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: Re: Ports for X
Next by Date: Re: Ports for X
Previous by thread: Re: Ports for X
Next by thread: Re: Can't someone choose source port?
Index(es):
- Date
- Thread