Edouard Soriano wrote: > I am dealing with ipchain configuring a Firewall with three Ethernet > adapters. > > The configuration is of the type « Anything authorized is rejected » > To do that I wrote several shells, one per service I want to set up, > declaring the authorisations. This make the complete configuration a > little easyer. > > One think is quite surprising me: > ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ > -s $EXTERNAL_IPADDR $UNPRIVPORTS \ > -d $ANYWHERE 23 -j ACCEPT > > ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ > -s $ANYWHERE 23 \ > -d $EXTERNAL_IPADDR $UNPRIVPORTS -j ACCEPT > > No problem with first ipchains command. > > The problem at my understanding level is on second command who means for > me « Let enter any packet coming from Anywhere port 23 addressed to my > ExternalIP Address having ACK indicator on the IP packet. > If I am not wrong, this means that, after having scanned my system for > opened ports, a hacker can address IP datas to any of UNPRIVPORTS with > that indicator ON. > > Question 1) > How can I make sure that those packets are real packets coming from an > accepted client ? You would need to use iptables (in the 2.4 kernels), which has state management. With ipchains, the best you can get is "! -y"; that won't accept SYN-without-ACK packets, so an attacker cannot create a new connection. > Question 2) > How can I reject packets coming from telnet $EXTERNAL_IPADDRESS 80 or any > other telnet out of port 23 ? Specifying remote source ports doesn't really get you any improvement in security; an attacker can use any source port. -- Glynn Clements <glynn.clements@virgin.net> - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
