[Snort-users] Nmap

bmcdowell at ...7861... bmcdowell at ...7861...
Wed Nov 19 10:03:06 EST 2003


You know what, I just realized that I do do some filtering based on the source port:  outbound filtering.  E.g.

iptables -A FORWARD -s [webserver] --sport ! 80 -j DROP

There isn't anything wrong with doing that, is there?


Bob

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Mark Fagan
Sent: Wednesday, November 19, 2003 5:57 AM
To: Matt Kettler
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Nmap


Hi Matt,

I dont actually work with many of the firewalls you mentioned except for the 
PIX, I also work with Checkpoint and Netscreen.

For Checkpoint and Netscreen you would need to really do things arse-ways in 
order to make such a mistake.

I would like to hear any other views on this.

Do people really do filtering based on source port ?????

Also I have been an MCSE since 3.5 and feel MCSE's tend not to know very much 
about IP anyway.

Cheers

Mark

Quoting Matt Kettler <mkettler at ...4108...>:

> At 06:13 AM 11/15/2003, Mark Fagan wrote:
> >I dont fully agree here.
> >
> >Unless your using an antique firewall its not possible to allow traffic
> based
> >on source port.
> 
> To my knowledge every version of IPChains, IPTables, openbsd PF, BSD IPF, 
> Cisco PIX, and Cisco IOS has some form of rule which you can add to force 
> allow traffic to pass the firewall based only on source port.
> 
> Not that it's a good idea.. but I challenge your assertion that it's not 
> possible on a modern firewall... In fact, I'd be surprised if _any_ major 
> firewalls would flat out refuse such a rule if manually configured to do 
> so.. Maybe some of the more paranoid ones such as the Secure Computing 
> Sidewinder G2 might refuse such things, but certainly there are a large 
> number of major firewalls that will accept such things.
> 
> 
> >Also anyone who (where possible) allows traffic based on source port needs
> >their heads examined.
> 
> I agree.. that's why I referred to said admins as incompetent. Yes, they do
> 
> need their heads examined, but there really are admins out there that know 
> absolutely nothing about TCP/IP that are administering firewalls. It's very
> 
> common for a small company to have a single MCSE guy on staff to run their 
> Windows NT/2k/2003 file servers who is also responsible (by default) for 
> running the firewall..
> 
> Not all MCSE's know TCP/IP, and the ones that don't are just going to make 
> up some arbitrary bypass rules to "make it work" without understanding 
> what's going on. This really does happen, and hackers do know it, and do 
> try to take advantage of it.
> 
> 
> >The source port seems spoofed in this example, however B2B applications I 
> >have
> >seen previously can use same source as dest port for communication, so
> dont
> >panic until you actually investigate the source.
> 
> In this case it's not the same src/dest port pairing.. it's TCP traffic 
> from a HTTP port to a DNS port.. That traffic pattern is VERY suspect.
> 
> Sure it's possible that some crack smoking Windows programmer decided that 
> DNS queries should be done using port 80 as a source, and be done using TCP
> 
> instead of UDP.. but that's not very likely.
> 
> 
> 





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




More information about the Snort-users mailing list