program/binary ip filtering
cswiger at mac.com
Wed Apr 18 19:47:01 UTC 2007
On Apr 18, 2007, at 12:17 PM, Kevin Hunter wrote:
> At 2:42p -0400 18 Apr 2007, Bill Moran wrote:
>>> We are in the process of setting up a bastion host. One of the
>>> things we'd like to do is to filter packets not only at the ip
>>> layer, but by what program is listening on a particular port. Is
>>> this a possibility?
>> Are you saying that you want to have the packet filter check to
>> see what application is listening on a particular port, then allow/
>> deny access based on the name of the application?
You should consider just how difficult it is to rename a malicious
program to, say, "ssh" in order to get around such checking.
(Answer: trivial.) If you really want to control traffic in this
fashion, you should look towards what the industry calls "deep packet
inspection" or mandatory usage of proxies for all permitted
>> Do you not have control over what is run on this system?
> So perhaps our specific example might be prudent:
> kevin $: ssh bastion
> bastion $: ssh internalserver
> Relevant part of log:
> Apr 18 09:35:23 kappia ipmon: 09:35:22.695348 fxp0 \
> @0:4 b internalserver,22 -> bastion,53136 PR tcp \
> len 20 52 -AS IN
> It's blocking because we are dropping all packets not destined for
> port 22. Since ssh /from/ the bastion picks a random high port,
> it's dropping all the return packets to that random high port.
> How have others handled this type of scenario, where a hardening of
> a bastion host has been desired/necessary?
The main approaches are to use a stateful firewall ruleset, to
explicitly permit return traffic via additional rules, or to simply
permit established connections through. These options are arranged
in rough order of how secure they are. I suspect that you are
encountering a steep learning curve, and that some additional reading
will help you make much better decisions about how to configure a
Consider getting either or both of:
"Building Internet Firewalls", ISBN-10: 1565928717
"Firewalls and Internet Security: Repelling the Wily Hacker",
More information about the freebsd-questions