Doesn't using the established allow any packet with ACK/RST set and wouldn't you have to allow all high ports? Jason -----Original Message----- From: Jay Hennigan [mailto:jay@west.net] Sent: Tuesday, January 05, 2010 3:04 PM To: nanog@nanog.org Subject: Re: I don't need no stinking firewall! Simon Lockhart wrote:
Generally, I just use stateless ACLs when I need additional network level security. However, they do have one big disadvantage. Say you've got a server where you want to allow outbound HTTP access to anywhere on the Internet, but only SSH inbound from your home DSL. To do this, you'd build an inbound ACL which looks something like:
- Allow from home DSL IP to server port 22 - Allow from anywhere port 80 to server
Change the above to: - Allow from anywhere port 80 to server port > 1023 Or better: - Allow from anywhere port 80 to server port > 1023 established
- Deny all other traffic.
You need the port 80 rule to allow the return traffic from all those outbound connections.
Those outbound connections will originate from a random high port, so just allow those as destination ports on your inbound rule.
However, an enterprising hacker realises that he can create a TCP connection from port 80 on his own box to port 22 on your server.
Not with the above rules. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***