program/binary ip filtering

Kevin Hunter hunteke at earlham.edu
Wed Apr 18 19:57:54 UTC 2007 

At 3:46p -0400 18 Apr 2007, Chuck Swiger wrote:
> On Apr 18, 2007, at 12:17 PM, Kevin Hunter wrote:
>> At 2:42p -0400 18 Apr 2007, Bill Moran wrote:
>>> Are you saying that you want to have the packet filter check to  
>>> see what application is listening on a particular port, then  
>>> allow/deny access based on the name of the application?
>>
>> Exactly.
>
> You should consider just how difficult it is to rename a malicious  
> program to, say, "ssh" in order to get around such checking.   
> (Answer: trivial.)  If you really want to control traffic in this  
> fashion, you should look towards what the industry calls "deep  
> packet inspection" or mandatory usage of proxies for all permitted  
> protocols, instead.

Hrm.  I was assuming that if I got into the nitty gritty, I could do  
more than just check the name of the binary, but perhaps not?  Thanks  
for the warning.

>>> Do you not have control over what is run on this system?
>>
>> So perhaps our specific example might be prudent:
[snip]
>> It's blocking because we are dropping all packets not destined for  
>> port 22.  Since ssh /from/ the bastion picks a random high port,  
>> it's dropping all the return packets to that random high port.
>>
>> How have others handled this type of scenario, where a hardening  
>> of a bastion host has been desired/necessary?
>
> The main approaches are to use a stateful firewall ruleset, to  
> explicitly permit return traffic via additional rules, or to simply  
> permit established connections through.  These options are arranged  
> in rough order of how secure they are.

I have been given to understand that this approach does not lend  
itself to fine-tuning down the road, if such -- for /some/ reason --  
were needed. . . .?

> I suspect that you are encountering a steep learning curve,

You are /probably/ (read: definitely) correct.  I am. :-)

> and that some additional reading will help you make much better  
> decisions about how to configure a firewall.
>
> Consider getting either or both of:
>
> "Building Internet Firewalls", ISBN-10: 1565928717
> http://www.oreilly.com/catalog/fire2/
>
> "Firewalls and Internet Security: Repelling the Wily Hacker",  
> ISBN-10: 020163466X
> http://www.aw-bc.com/catalog/academic/product/0,1144,020163466X, 
> 00.html

Will look into those.  Thank you again.

Kevin

More information about the freebsd-questions mailing list