risks when filtering only SYNs?

Tue, 20 Nov 2001 10:12:28 -0800 

Hello there, guys:
      I have set up a linux box (RH 7.1) to use as a firewall between
      2 tiny LANs and the internet, it looks like this:

                      (sorry for the poor "art")

                                     eth2  *********************
  (((((((((((( eth0  **************<------>** LAN2(Win 9x)    **
  ((Internet((<----->** LINUX    **        *********************
  ((((((((((((       ** RH 7.1   **        *********************
                     **************<------>**LAN1(Win - linux)**
                                     eth1  *********************


     So far, the linux box is used, as I said, to firewall the
     internal LANs (currently there's only one PC attached to each
     internal nic) and to share a unique connection to the outside
     world. We are not providing any public services, no servers at
     all, except for ssh to manage the firewall and webwasher as a
     proxy (to avoid ads ), all this is planned to be accesible only
     from the internal side.

     I am no guru at all (just the only one who is willing to play and
     learn with linux and security). So, while I'm learning to
     properly manage with this stuff, I am blocking (DROPPING) all SYN
     packets that come from outside and allowing incoming SYNs from the
     internal side (but only to ssh and webwasher). Any other traffic
     is allowed. So, nmap -sS reports everything filtered, but nmap
     -sF is able to find the X server, webwasher and ssh.

     Local security is not a problem ( oh, well, I know you can never
     be so sure, but let's say it's reasonably secure ;-} ), but I am
     wondering if I'm missing something here (surely I do)... my
     reasoning here is "if they cannot connect to any port with a
     Syn, then they cannot get a login prompt or any other thing so as
     to get root". Well I imagine that if they can compromise one of
     the internal machines then they could get to one port on the
     firewall (I know I shouldn't run a firewall and servers on the
     same box, but there's budget considerations here, a pitty we are
     not on a perfect world...) anyway if I don't do DNAT or put a
     service on the internal PCs I think it gets rather difficult to a
     remote hacker, OR NOT?.

     Ok, I have this "Frankestein" running and attached to the net for
     about 3 weeks... Have I been too naive and maybe they already
     rooted me?

     Any comments and help are welcome, please forgive my english if I
     have commited any mistakes and also the rather lengthy message...
     I'll do it shorter the next time.
-- 
Best regards,
 Juan                          mailto:[EMAIL PROTECTED]

Reply via email to