I don't need no stinking firewall!
Jay Hennigan
jay at west.net
Tue Jan 5 21:04:01 UTC 2010
Simon Lockhart wrote:
> Generally, I just use stateless ACLs when I need additional network level
> security. However, they do have one big disadvantage. Say you've got a server
> where you want to allow outbound HTTP access to anywhere on the Internet, but
> only SSH inbound from your home DSL. To do this, you'd build an inbound ACL
> which looks something like:
>
> - Allow from home DSL IP to server port 22
> - Allow from anywhere port 80 to server
Change the above to:
- Allow from anywhere port 80 to server port > 1023
Or better:
- Allow from anywhere port 80 to server port > 1023 established
> - Deny all other traffic.
>
> You need the port 80 rule to allow the return traffic from all those outbound
> connections.
Those outbound connections will originate from a random high port, so
just allow those as destination ports on your inbound rule.
> However, an enterprising hacker realises that he can create a TCP connection
> from port 80 on his own box to port 22 on your server.
Not with the above rules.
--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
More information about the NANOG
mailing list