[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: regarding firewall discussion

On Wed, 1 Jun 2022 15:02:10 -0400
rhkramer@gmail.com wrote:

> > mick crane <mick.crane@gmail.com> wrote:  
> > > regarding firewall discussion I'm uncertain how firewalls are
> > > supposed to work.
> > > I think the idea is that nothing is accepted unless it is in
> > > response to a request.
> > > What's to stop some spurious instructions being sent in response
> > > to genuine request?  
> 
> Just for the record, what you described (nothing is accepted unless
> it is in response to a request) is more like the way that NAT worked
> (at least in its original incarnations).  (I say it that way because
> I haven't kept up with NAT, so don't know how it may have changed).
> 

It still should, with exceptions for certain special cases that use a
second (usually data) channel that has to be associated with the
request. FTP and many older VPNs are of this kind.

An iptables-based firewall does the same (it can also do NAT) if a
RELATED rule exists. If there is no such rule, only packets explicitly
listed in the firewall code will be allowed in. This is necessary with
unsolicited packets i.e. the protocols allowed to bypass the firewall
e.g. ssh.

But the OP asked about malicious reply data, and neither iptables nor
NAT are equipped to detect this. Either a filtering proxy server (e.g.
http://e2guardian.org/cms/index.php) or the original requesting
application must deal with this.

-- 
Joe
Reply to: