Speaking of modem firewalls, was: Re: [lug] newbie seeks www

D. Stimits stimits at idcomm.com
Tue Apr 24 10:38:00 MDT 2001 

"Scott A. Herod" wrote:
> 
> Hi Dan,
> 
>   Speaking on firewalling a ppp interface, is it simply enough to
> block SYM packets?  I suppose that wouldn't stop UDP requests, however
> but of course those could be block separately.  I'm thinking something
> like:
> 
> ipchains -P input ALLOW
> ipchains -A input -j REJECT -p tcp -y -i ppp0 -s 0.0.0.0/0 -l
> ipchains -A input -j REJECT -p udp    -i ppp0 -s 0.0.0.0/0 -l
> 
> Basically, if I don't want anything to be able to initialize a
> connection across the ppp interface, is the above enough?  ( I
> do want all communication to flow freely across the eth0 interface
> which is only my home network. )

For tcp/ip on many things it is probably enough, but probably not on all
things. Consider the following scenario for when it might not be
enough...there are various buffer overflow attacks that are valid
attacks only during a particular phase of a connecting or of a fully
running connection of tcp/ip sessions. But although it might be
mandatory to follow a normal connection procedure for a working
connection, the attacker might not care about that, and be able to send
something out of order; despite this not allowing a normal connect, I
could see it possible still allowing the attack through an
overflow/malformed packet. I don't know of any particular attacks that
allow this, but that doesn't mean they don't exist. My idea is that if
you can block it without it stopping normal operations, don't give the
attacker the opportunity (script kiddies are idiots, but there are
usually a few of the evil genius types out there too, writing the
scripts for the idiots).

D. Stimits, stimits at idcomm.com

> 
> Scott
> 
> "D. Stimits" wrote:
> >
> > You will probably want to be sure you have a kernel that supports
> > ipchains (firewalling), that it is enabled, and that several ports are
> > completely blocked from the modem (target interface ppp0). Anyone else,
> > feel free to name dangerous ports, but here are a few port numbers to
> > block, preferably both UDP and TCP (these are just very basic, there is
> > more to it):
> > 20, 21, input only (ftp).
> > 23, input only (telnet).
> > 53, other than your known name servers.
> > 80, input only (web server)
> > 98 (linuxconf)
> > 111
> > 137-139
> > 369
> > 514
> > 515 (printer, lpd)
> >
> > Both tcp and udp might not be relevant on a given port, but the ones
> > named you can safely block both regardless. Those above are just a
> > sample of ports that are either tested regularly by port scanning
> > crackers, or too important to be left open. There is a lot more that
> > should be blocked
> >
> > You'll want to update early on after getting the modem via (for RH 6.2):
> > http://www.redhat.com/support/errata/rh62-errata-security.html
> >
> > Or more generally:
> > http://www.redhat.com/support/errata/
> >
> > D. Stimits, stimits at idcomm.com
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list