mkettler at ...4108...
Tue Nov 18 08:52:10 EST 2003
At 06:13 AM 11/15/2003, Mark Fagan wrote:
>I dont fully agree here.
>Unless your using an antique firewall its not possible to allow traffic based
>on source port.
To my knowledge every version of IPChains, IPTables, openbsd PF, BSD IPF,
Cisco PIX, and Cisco IOS has some form of rule which you can add to force
allow traffic to pass the firewall based only on source port.
Not that it's a good idea.. but I challenge your assertion that it's not
possible on a modern firewall... In fact, I'd be surprised if _any_ major
firewalls would flat out refuse such a rule if manually configured to do
so.. Maybe some of the more paranoid ones such as the Secure Computing
Sidewinder G2 might refuse such things, but certainly there are a large
number of major firewalls that will accept such things.
>Also anyone who (where possible) allows traffic based on source port needs
>their heads examined.
I agree.. that's why I referred to said admins as incompetent. Yes, they do
need their heads examined, but there really are admins out there that know
absolutely nothing about TCP/IP that are administering firewalls. It's very
common for a small company to have a single MCSE guy on staff to run their
Windows NT/2k/2003 file servers who is also responsible (by default) for
running the firewall..
Not all MCSE's know TCP/IP, and the ones that don't are just going to make
up some arbitrary bypass rules to "make it work" without understanding
what's going on. This really does happen, and hackers do know it, and do
try to take advantage of it.
>The source port seems spoofed in this example, however B2B applications I
>seen previously can use same source as dest port for communication, so dont
>panic until you actually investigate the source.
In this case it's not the same src/dest port pairing.. it's TCP traffic
from a HTTP port to a DNS port.. That traffic pattern is VERY suspect.
Sure it's possible that some crack smoking Windows programmer decided that
DNS queries should be done using port 80 as a source, and be done using TCP
instead of UDP.. but that's not very likely.
More information about the Snort-users