bmcdowell at ...7861...
bmcdowell at ...7861...
Wed Nov 19 10:03:06 EST 2003
You know what, I just realized that I do do some filtering based on the source port: outbound filtering. E.g.
iptables -A FORWARD -s [webserver] --sport ! 80 -j DROP
There isn't anything wrong with doing that, is there?
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Mark Fagan
Sent: Wednesday, November 19, 2003 5:57 AM
To: Matt Kettler
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Nmap
I dont actually work with many of the firewalls you mentioned except for the
PIX, I also work with Checkpoint and Netscreen.
For Checkpoint and Netscreen you would need to really do things arse-ways in
order to make such a mistake.
I would like to hear any other views on this.
Do people really do filtering based on source port ?????
Also I have been an MCSE since 3.5 and feel MCSE's tend not to know very much
about IP anyway.
Quoting Matt Kettler <mkettler at ...4108...>:
> At 06:13 AM 11/15/2003, Mark Fagan wrote:
> >I dont fully agree here.
> >Unless your using an antique firewall its not possible to allow traffic
> >on source port.
> To my knowledge every version of IPChains, IPTables, openbsd PF, BSD IPF,
> Cisco PIX, and Cisco IOS has some form of rule which you can add to force
> allow traffic to pass the firewall based only on source port.
> Not that it's a good idea.. but I challenge your assertion that it's not
> possible on a modern firewall... In fact, I'd be surprised if _any_ major
> firewalls would flat out refuse such a rule if manually configured to do
> so.. Maybe some of the more paranoid ones such as the Secure Computing
> Sidewinder G2 might refuse such things, but certainly there are a large
> number of major firewalls that will accept such things.
> >Also anyone who (where possible) allows traffic based on source port needs
> >their heads examined.
> I agree.. that's why I referred to said admins as incompetent. Yes, they do
> need their heads examined, but there really are admins out there that know
> absolutely nothing about TCP/IP that are administering firewalls. It's very
> common for a small company to have a single MCSE guy on staff to run their
> Windows NT/2k/2003 file servers who is also responsible (by default) for
> running the firewall..
> Not all MCSE's know TCP/IP, and the ones that don't are just going to make
> up some arbitrary bypass rules to "make it work" without understanding
> what's going on. This really does happen, and hackers do know it, and do
> try to take advantage of it.
> >The source port seems spoofed in this example, however B2B applications I
> >seen previously can use same source as dest port for communication, so
> >panic until you actually investigate the source.
> In this case it's not the same src/dest port pairing.. it's TCP traffic
> from a HTTP port to a DNS port.. That traffic pattern is VERY suspect.
> Sure it's possible that some crack smoking Windows programmer decided that
> DNS queries should be done using port 80 as a source, and be done using TCP
> instead of UDP.. but that's not very likely.
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users