Re: Can't someone choose source port?
On Mon, Jan 31, 2000 at 02:35:38PM +0100, Julien Stern wrote:
> I'm wondering if such a rule isn't very dangerous in fact.
> Suppose that a port (say telnet) is open on the firewall,
> so that I can telnet from inside, but blocked for the
> outside world. Isn't it possible to hack a telnet client
> so that it connects FROM port 53 (domain) to my telnet port?
I think so.
> If so, what should I do? Should I specify that I only allow
NEVER install telnet on your firewall. If you really won't to work remotely
use ssh.
> packet coming from port 53 _and_ from the addresses of
> my ISP DNSs? Even in this case, I would have to trust these
Yes, that is better of course. Also you can add teh destination port which
is 1024:65535 in your case.
> computers. Is there a really bullet-proof setup?
I don't think anything is bullet proof. I will upload spf in the next few
days. You might want to take a look at it since it allows only backward
packets from the machine you connected and also only on the port your query
originated from.
Michael
--
Michael Meskes | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz | Go Rhein Fire!
Tel.: (+49) 2431/72651 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De | Use PostgreSQL!
Reply to: