I don't need no stinking firewall!

Jason Shearer jshearer at amedisys.com
Tue Jan 5 21:08:59 UTC 2010

Doesn't using the established allow any packet with ACK/RST set and wouldn't you have to allow all high ports?


-----Original Message-----
From: Jay Hennigan [mailto:jay at west.net]
Sent: Tuesday, January 05, 2010 3:04 PM
To: nanog at nanog.org
Subject: Re: I don't need no stinking firewall!

Simon Lockhart wrote:

> Generally, I just use stateless ACLs when I need additional network level
> security. However, they do have one big disadvantage. Say you've got a server
> where you want to allow outbound HTTP access to anywhere on the Internet, but
> only SSH inbound from your home DSL. To do this, you'd build an inbound ACL
> which looks something like:
>   - Allow from home DSL IP to server port 22
>   - Allow from anywhere port 80 to server

Change the above to:
     - Allow from anywhere port 80 to server port > 1023

Or better:
     - Allow from anywhere port 80 to server port > 1023 established

>   - Deny all other traffic.
> You need the port 80 rule to allow the return traffic from all those outbound
> connections.

Those outbound connections will originate from a random high port, so
just allow those as destination ports on your inbound rule.

> However, an enterprising hacker realises that he can create a TCP connection
> from port 80 on his own box to port 22 on your server.

Not with the above rules.

Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***

More information about the NANOG mailing list