Simon Lockhart wrote:

Generally, I just use stateless ACLs when I need additional network level
security. However, they do have one big disadvantage. Say you've got a server
where you want to allow outbound HTTP access to anywhere on the Internet, but
only SSH inbound from your home DSL. To do this, you'd build an inbound ACL
which looks something like:

  - Allow from home DSL IP to server port 22
  - Allow from anywhere port 80 to server

Change the above to:
    - Allow from anywhere port 80 to server port > 1023

Or better:
    - Allow from anywhere port 80 to server port > 1023 established

  - Deny all other traffic.

You need the port 80 rule to allow the return traffic from all those outbound
connections.

Those outbound connections will originate from a random high port, so just allow those as destination ports on your inbound rule.

However, an enterprising hacker realises that he can create a TCP connection
from port 80 on his own box to port 22 on your server.

Not with the above rules.

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Reply via email to