On Mon, 4 Dec 2000, Gary Flynn wrote:
> > TCP-based systems keep their own state, and other than some DoS stuff
> > (which should be tuned on Internet-accessable hosts anyway), there's no a
> > great deal of value from the filter keeping state. Cisco router filtering
> > on a normal IOS image isn't stateful either, but it's still the best
> > first-line of defense.
>
> What about the ability to block incoming packets that are not part of a session
> initiated from the inside? This enables permitting outgoing connections to
> servers without allowing all the high, dynamic ports in. While Cisco's
> 'established' keyword provides similar functionality, it allows crafted
> packets without the SYN bit set to enter the internal network and probe for
> open
> ports.
If your policy is that anything inside gets to talk outside, probing for
open ports works, blocking outbound RSTs might provide the same sort of
protection with some timeout issues. Certainly, leaking ICMP port
unreachables seems to be self-destructive to me. In any case, being able
to map TCP ports that you can't connect to isn't all that valuable without
an additional vector of attack.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
