r00t at ...10564...
Wed Nov 19 03:58:03 EST 2003
I dont actually work with many of the firewalls you mentioned except for the
PIX, I also work with Checkpoint and Netscreen.
For Checkpoint and Netscreen you would need to really do things arse-ways in
order to make such a mistake.
I would like to hear any other views on this.
Do people really do filtering based on source port ?????
Also I have been an MCSE since 3.5 and feel MCSE's tend not to know very much
about IP anyway.
Quoting Matt Kettler <mkettler at ...4108...>:
> At 06:13 AM 11/15/2003, Mark Fagan wrote:
> >I dont fully agree here.
> >Unless your using an antique firewall its not possible to allow traffic
> >on source port.
> To my knowledge every version of IPChains, IPTables, openbsd PF, BSD IPF,
> Cisco PIX, and Cisco IOS has some form of rule which you can add to force
> allow traffic to pass the firewall based only on source port.
> Not that it's a good idea.. but I challenge your assertion that it's not
> possible on a modern firewall... In fact, I'd be surprised if _any_ major
> firewalls would flat out refuse such a rule if manually configured to do
> so.. Maybe some of the more paranoid ones such as the Secure Computing
> Sidewinder G2 might refuse such things, but certainly there are a large
> number of major firewalls that will accept such things.
> >Also anyone who (where possible) allows traffic based on source port needs
> >their heads examined.
> I agree.. that's why I referred to said admins as incompetent. Yes, they do
> need their heads examined, but there really are admins out there that know
> absolutely nothing about TCP/IP that are administering firewalls. It's very
> common for a small company to have a single MCSE guy on staff to run their
> Windows NT/2k/2003 file servers who is also responsible (by default) for
> running the firewall..
> Not all MCSE's know TCP/IP, and the ones that don't are just going to make
> up some arbitrary bypass rules to "make it work" without understanding
> what's going on. This really does happen, and hackers do know it, and do
> try to take advantage of it.
> >The source port seems spoofed in this example, however B2B applications I
> >seen previously can use same source as dest port for communication, so
> >panic until you actually investigate the source.
> In this case it's not the same src/dest port pairing.. it's TCP traffic
> from a HTTP port to a DNS port.. That traffic pattern is VERY suspect.
> Sure it's possible that some crack smoking Windows programmer decided that
> DNS queries should be done using port 80 as a source, and be done using TCP
> instead of UDP.. but that's not very likely.
More information about the Snort-users