I don't need no stinking firewall!

Henry Yen henry at AegisInfoSys.com
Tue Jan 5 15:55:22 CST 2010


On Tue, Jan 05, 2010 at 13:18:47PM -0800, Jay Hennigan wrote:
> Jason Shearer wrote:
> > Doesn't using the established allow any packet with ACK/RST set 
> 
> Yes, as would be expected for legitimate return traffic for a TCP 
> connection initiated from a browser inside the firewall.
> 
> > and wouldn't you have to allow all high ports?
> 
> That's what the ">" is for.  Cisco syntax "gt" (greater than).

One could also use reflexive access lists, which are much better
than static lists, although that takes you back to stateful.

It is possible to combine them both to achieve a mostly stateless
setup while still having better overall security.

> The point is that either of these will deny unsolicited new connection 
> attempts from the outside to TCP 22 (and 445, 135, etc.)

-- 
Henry Yen                                       Aegis Information Systems, Inc.
Senior Systems Programmer                       Hicksville, New York
                                                (800) 234-4700




More information about the NANOG mailing list