> Pierre B. Samson wrote: > > > $IPT -A INPUT -p udp --source-port 53 -j ACCEPT > > $IPT -A INPUT -p udp --destination-port 53 -j ACCEPT > > $IPT -A INPUT -p tcp --source-port 113 -j ACCEPT > > $IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT
If that's really what your rules are like (and without seeing the full set
it's impossible to tell what else might take effect) then you're leaving
yourself essentially unprotected! Filtering on the source port is almost
never a sensible thing to do. Remember it's under the control of the
person at the other end trying to break into your machine. They certainly
won't say to themselves "oh, that's the ident (or whatever) port, we can't
use that for our nefarious schemes." On the contrary, they'll be trying
all the standard port numbers as *source* ports in the hope that they'll
happen across a misconfigured firewall that they can get through.
When you're designing your filter rules you have to ask yourself what
information in the incoming packet is reliable. Sometimes you can convince
yourself that you trust the machine at the other end and the network in
between. Often, though, all you really know for sure is the destination
address (yours!) and the destination port (where the packet will end up if
you don't filter it out first).
--
Dr George D M Ross, Division of Informatics, University of Edinburgh
Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ
Mail: [EMAIL PROTECTED] Voice: +44 131 650 5147 Fax: +44 131 667 7209
PGP DSA: 1024/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5
msg01062/pgp00000.pgp
Description: PGP signature
