I don't need no stinking firewall!
henry at AegisInfoSys.com
Tue Jan 5 21:55:22 UTC 2010
On Tue, Jan 05, 2010 at 13:18:47PM -0800, Jay Hennigan wrote:
> Jason Shearer wrote:
> > Doesn't using the established allow any packet with ACK/RST set
> Yes, as would be expected for legitimate return traffic for a TCP
> connection initiated from a browser inside the firewall.
> > and wouldn't you have to allow all high ports?
> That's what the ">" is for. Cisco syntax "gt" (greater than).
One could also use reflexive access lists, which are much better
than static lists, although that takes you back to stateful.
It is possible to combine them both to achieve a mostly stateless
setup while still having better overall security.
> The point is that either of these will deny unsolicited new connection
> attempts from the outside to TCP 22 (and 445, 135, etc.)
Henry Yen Aegis Information Systems, Inc.
Senior Systems Programmer Hicksville, New York
More information about the NANOG