On Apr 18, 2007, at 12:17 PM, Kevin Hunter wrote:
At 2:42p -0400 18 Apr 2007, Bill Moran wrote:
We are in the process of setting up a bastion host. One of the
things we'd like to do is to filter packets not only at the ip
layer, but by what program is listening on a particular port. Is
this a possibility?
Are you saying that you want to have the packet filter check to
see what application is listening on a particular port, then allow/
deny access based on the name of the application?
Exactly.
You should consider just how difficult it is to rename a malicious
program to, say, "ssh" in order to get around such checking.
(Answer: trivial.) If you really want to control traffic in this
fashion, you should look towards what the industry calls "deep packet
inspection" or mandatory usage of proxies for all permitted
protocols, instead.
Do you not have control over what is run on this system?
So perhaps our specific example might be prudent:
kevin $: ssh bastion
bastion $: ssh internalserver
<hang>
Relevant part of log:
Apr 18 09:35:23 kappia ipmon[405]: 09:35:22.695348 fxp0 \
@0:4 b internalserver,22 -> bastion,53136 PR tcp \
len 20 52 -AS IN
It's blocking because we are dropping all packets not destined for
port 22. Since ssh /from/ the bastion picks a random high port,
it's dropping all the return packets to that random high port.
How have others handled this type of scenario, where a hardening of
a bastion host has been desired/necessary?
The main approaches are to use a stateful firewall ruleset, to
explicitly permit return traffic via additional rules, or to simply
permit established connections through. These options are arranged
in rough order of how secure they are. I suspect that you are
encountering a steep learning curve, and that some additional reading
will help you make much better decisions about how to configure a
firewall.
Consider getting either or both of:
"Building Internet Firewalls", ISBN-10: 1565928717
http://www.oreilly.com/catalog/fire2/
"Firewalls and Internet Security: Repelling the Wily Hacker",
ISBN-10: 020163466X
http://www.aw-bc.com/catalog/academic/product/0,1144,020163466X,00.html
Regards,
--
-Chuck
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"