Re: Is this firewall good enough?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday 08 June 2004 9:11 pm, Feizhou wrote:

> > That rule allows packets *to* port 80 - I was asking how you deal with
> > *reply* packets - the ones *from* port 80 on the remote server.
>
> iptables -A tcp_packets -p --sport 80 --dport 1024:65535 -j ACCEPT

That is not my idea of a secure firewall rule - you are allowing an external 
scanner  / attacker to access the machine on any TCP port from 1024 to 65535, 
simply by setting their source port to 80.

Sheesh - we might as well go back to stateless routers with access control 
lists.

> Stateful is expensive. If you have a high traffic load, it is not worth
> it. The context is when the box is a server. If you are protecting your
> home box, by all means, use stateful.

Hm - strange, then, that Checkpoint, Cyberguard, Netscreen, Gauntlet etc. all 
seem to say that Stateful is better / more secure

However, you are quite correct - you have the choice of using stateful 
connection tracking or not using it, as you prefer.

My choice is to have the security of having my ports closed by using stateful 
filtering.   I don't have a fast enough Internet connection for performance 
to be a problem, and I don't know many people who do.

Regards,

Antony.

-- 
Most people have more than the average number of legs.

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux