On Tue, Jan 05, 2010 at 13:18:47PM -0800, Jay Hennigan wrote:
Jason Shearer wrote:
Doesn't using the established allow any packet with ACK/RST set
Yes, as would be expected for legitimate return traffic for a TCP connection initiated from a browser inside the firewall.
and wouldn't you have to allow all high ports?
That's what the ">" is for. Cisco syntax "gt" (greater than).
One could also use reflexive access lists, which are much better than static lists, although that takes you back to stateful. It is possible to combine them both to achieve a mostly stateless setup while still having better overall security.
The point is that either of these will deny unsolicited new connection attempts from the outside to TCP 22 (and 445, 135, etc.)
-- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York (800) 234-4700