Date: Wed, 18 Apr 2007 12:46:56 -0700 From: Chuck Swiger <cswiger@mac.com> To: Kevin Hunter <hunteke@earlham.edu> Cc: FreeBSD Questions <freebsd-questions@freebsd.org>, Randy Schultz <schulra@earlham.edu> Subject: Re: program/binary ip filtering Message-ID: <22C0F9E3-6A59-4164-94DD-8F0677C3E37D@mac.com> In-Reply-To: <D78E83C6-6EC4-4656-90A7-8ABEC0E5406F@earlham.edu> References: <669BB85F-59F2-4DDE-ADAA-0111A0E85967@earlham.edu> <20070418144246.bab7d6d5.wmoran@potentialtech.com> <D78E83C6-6EC4-4656-90A7-8ABEC0E5406F@earlham.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 18, 2007, at 12:17 PM, Kevin Hunter wrote: > At 2:42p -0400 18 Apr 2007, Bill Moran wrote: >>> We are in the process of setting up a bastion host. One of the >>> things we'd like to do is to filter packets not only at the ip >>> layer, but by what program is listening on a particular port. Is >>> this a possibility? >> >> Are you saying that you want to have the packet filter check to >> see what application is listening on a particular port, then allow/ >> deny access based on the name of the application? > > Exactly. You should consider just how difficult it is to rename a malicious program to, say, "ssh" in order to get around such checking. (Answer: trivial.) If you really want to control traffic in this fashion, you should look towards what the industry calls "deep packet inspection" or mandatory usage of proxies for all permitted protocols, instead. >> Do you not have control over what is run on this system? > > So perhaps our specific example might be prudent: > > kevin $: ssh bastion > bastion $: ssh internalserver > <hang> > > Relevant part of log: > > Apr 18 09:35:23 kappia ipmon[405]: 09:35:22.695348 fxp0 \ > @0:4 b internalserver,22 -> bastion,53136 PR tcp \ > len 20 52 -AS IN > > It's blocking because we are dropping all packets not destined for > port 22. Since ssh /from/ the bastion picks a random high port, > it's dropping all the return packets to that random high port. > > How have others handled this type of scenario, where a hardening of > a bastion host has been desired/necessary? The main approaches are to use a stateful firewall ruleset, to explicitly permit return traffic via additional rules, or to simply permit established connections through. These options are arranged in rough order of how secure they are. I suspect that you are encountering a steep learning curve, and that some additional reading will help you make much better decisions about how to configure a firewall. Consider getting either or both of: "Building Internet Firewalls", ISBN-10: 1565928717 http://www.oreilly.com/catalog/fire2/ "Firewalls and Internet Security: Repelling the Wily Hacker", ISBN-10: 020163466X http://www.aw-bc.com/catalog/academic/product/0,1144,020163466X,00.html Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22C0F9E3-6A59-4164-94DD-8F0677C3E37D>