program/binary ip filtering

Chuck Swiger cswiger at
Wed Apr 18 19:47:01 UTC 2007

On Apr 18, 2007, at 12:17 PM, Kevin Hunter wrote:
> At 2:42p -0400 18 Apr 2007, Bill Moran wrote:
>>> We are in the process of setting up a bastion host.  One of the  
>>> things we'd like to do is to filter packets not only at the ip  
>>> layer, but by what program is listening on a particular port.  Is  
>>> this a possibility?
>> Are you saying that you want to have the packet filter check to  
>> see what application is listening on a particular port, then allow/ 
>> deny access based on the name of the application?
> Exactly.

You should consider just how difficult it is to rename a malicious  
program to, say, "ssh" in order to get around such checking.   
(Answer: trivial.)  If you really want to control traffic in this  
fashion, you should look towards what the industry calls "deep packet  
inspection" or mandatory usage of proxies for all permitted  
protocols, instead.

>> Do you not have control over what is run on this system?
> So perhaps our specific example might be prudent:
> kevin $: ssh bastion
> bastion $: ssh internalserver
> <hang>
> Relevant part of log:
> Apr 18 09:35:23 kappia ipmon[405]: 09:35:22.695348 fxp0 \
> 	@0:4 b internalserver,22 -> bastion,53136 PR tcp \
> 	len 20 52 -AS IN
> It's blocking because we are dropping all packets not destined for  
> port 22.  Since ssh /from/ the bastion picks a random high port,  
> it's dropping all the return packets to that random high port.
> How have others handled this type of scenario, where a hardening of  
> a bastion host has been desired/necessary?

The main approaches are to use a stateful firewall ruleset, to  
explicitly permit return traffic via additional rules, or to simply  
permit established connections through.  These options are arranged  
in rough order of how secure they are.  I suspect that you are  
encountering a steep learning curve, and that some additional reading  
will help you make much better decisions about how to configure a  

Consider getting either or both of:

"Building Internet Firewalls", ISBN-10: 1565928717

"Firewalls and Internet Security: Repelling the Wily Hacker",  
ISBN-10: 020163466X,1144,020163466X,00.html


More information about the freebsd-questions mailing list