Re: ipfwadm

Jos Vos (jos@xos.nl)
Mon, 27 May 1996 15:22:15 +0200 (MET DST)


> > Here's the problem, I set this:
> >
> > ipfwadm -I -a acc -b -W ppp0 -P tcp -S 0.0.0.0/0 80 -D 0.0.0.0/0 80
> > ipfwadm -I -a acc -b -W ppp0 -P udp -S 0.0.0.0/0 80 -D 0.0.0.0/0 80
>
> You should set it to:
>
> ipfwadm -I -a acc -b -W ppp0 -P tcp -S a.b.c.d/32 -D 0.0.0.0/0 80
>
> where a.b.c.d is you IP address.
> Because the port of the connecting machine is choosen randonmly (unless
> selected by an explicit bind() call) you don't knowe the port number of
> the source address. Obviously it can't be 80 if a HTTP server is running
> on this machine too.

This will work, but it includes several security risks.

First of all, you may want to exclude the priviliged ports from the
source addresses, especially because the above rule also allows _incoming_
sessions from port 80 on any host to any internal port. This is _unsafe_.
(In fact, you need to exclude all ports on which servers are running).

So, you should use the -k (TCP ACK) option in this command.
Including the -k in the above command will not allow any new sessions
being initiated from the outside, because it requires the TCP ACK flag
being set on all incoming packets. And, the first TCP packet, which is
sent _from_ you to the outside word, of a session doesn't carry this flag.

When using the -k option, the need for excluding the priviliged ports
is overruled, but I always try to define rules as restrictive
as possible.

-- 
--    Jos Vos <jos@xos.nl>
--    X/OS Experts in Open Systems BV   |   Phone: +31 20 6938364
--    Amsterdam, The Netherlands        |     Fax: +31 20 6948204