From owner-freebsd-questions@FreeBSD.ORG Wed Apr 18 19:47:01 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6041B16A402 for ; Wed, 18 Apr 2007 19:47:01 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 46F8913C48A for ; Wed, 18 Apr 2007 19:47:01 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay8.apple.com (a17-128-113-38.apple.com [17.128.113.38]) by mail-out3.apple.com (8.13.8/8.13.8) with ESMTP id l3IJkwYJ005766; Wed, 18 Apr 2007 12:46:58 -0700 (PDT) Received: from relay8.apple.com (unknown [127.0.0.1]) by relay8.apple.com (Symantec Mail Security) with ESMTP id 0730B4005B; Wed, 18 Apr 2007 12:46:58 -0700 (PDT) X-AuditID: 11807126-9fd4fbb0000007ff-e4-462675b12221 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay8.apple.com (Apple SCV relay) with ESMTP id E0F784007B; Wed, 18 Apr 2007 12:46:57 -0700 (PDT) In-Reply-To: References: <669BB85F-59F2-4DDE-ADAA-0111A0E85967@earlham.edu> <20070418144246.bab7d6d5.wmoran@potentialtech.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <22C0F9E3-6A59-4164-94DD-8F0677C3E37D@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Wed, 18 Apr 2007 12:46:56 -0700 To: Kevin Hunter X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: FreeBSD Questions , Randy Schultz Subject: Re: program/binary ip filtering X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Apr 2007 19:47:01 -0000 On Apr 18, 2007, at 12:17 PM, Kevin Hunter wrote: > At 2:42p -0400 18 Apr 2007, Bill Moran wrote: >>> We are in the process of setting up a bastion host. One of the >>> things we'd like to do is to filter packets not only at the ip >>> layer, but by what program is listening on a particular port. Is >>> this a possibility? >> >> Are you saying that you want to have the packet filter check to >> see what application is listening on a particular port, then allow/ >> deny access based on the name of the application? > > Exactly. You should consider just how difficult it is to rename a malicious program to, say, "ssh" in order to get around such checking. (Answer: trivial.) If you really want to control traffic in this fashion, you should look towards what the industry calls "deep packet inspection" or mandatory usage of proxies for all permitted protocols, instead. >> Do you not have control over what is run on this system? > > So perhaps our specific example might be prudent: > > kevin $: ssh bastion > bastion $: ssh internalserver > > > Relevant part of log: > > Apr 18 09:35:23 kappia ipmon[405]: 09:35:22.695348 fxp0 \ > @0:4 b internalserver,22 -> bastion,53136 PR tcp \ > len 20 52 -AS IN > > It's blocking because we are dropping all packets not destined for > port 22. Since ssh /from/ the bastion picks a random high port, > it's dropping all the return packets to that random high port. > > How have others handled this type of scenario, where a hardening of > a bastion host has been desired/necessary? The main approaches are to use a stateful firewall ruleset, to explicitly permit return traffic via additional rules, or to simply permit established connections through. These options are arranged in rough order of how secure they are. I suspect that you are encountering a steep learning curve, and that some additional reading will help you make much better decisions about how to configure a firewall. Consider getting either or both of: "Building Internet Firewalls", ISBN-10: 1565928717 http://www.oreilly.com/catalog/fire2/ "Firewalls and Internet Security: Repelling the Wily Hacker", ISBN-10: 020163466X http://www.aw-bc.com/catalog/academic/product/0,1144,020163466X,00.html Regards, -- -Chuck