I don't need no stinking firewall!

Jay Hennigan jay at west.net
Tue Jan 5 21:04:01 UTC 2010


Simon Lockhart wrote:

> Generally, I just use stateless ACLs when I need additional network level
> security. However, they do have one big disadvantage. Say you've got a server
> where you want to allow outbound HTTP access to anywhere on the Internet, but
> only SSH inbound from your home DSL. To do this, you'd build an inbound ACL
> which looks something like:
> 
>   - Allow from home DSL IP to server port 22
>   - Allow from anywhere port 80 to server

Change the above to:
     - Allow from anywhere port 80 to server port > 1023

Or better:
     - Allow from anywhere port 80 to server port > 1023 established

>   - Deny all other traffic.
> 
> You need the port 80 rule to allow the return traffic from all those outbound
> connections.

Those outbound connections will originate from a random high port, so 
just allow those as destination ports on your inbound rule.

> However, an enterprising hacker realises that he can create a TCP connection
> from port 80 on his own box to port 22 on your server.

Not with the above rules.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV




More information about the NANOG mailing list