mkettler at ...4108...
Wed Nov 19 11:05:03 EST 2003
At 01:02 PM 11/19/2003, bmcdowell at ...7861... wrote:
>You know what, I just realized that I do do some filtering based on the
>source port: outbound filtering. E.g.
>iptables -A FORWARD -s [webserver] --sport ! 80 -j DROP
>There isn't anything wrong with doing that, is there?
Not terribly.. an attacker can evade that rule by taking your webserver
down and using port 80 as the source port when doing a connection to an
outside server. Note that there's no stateful inspection here, so the rule
won't stop an outbound connection from port 80 on your webserver to an
outside ftp server to download some added rootkit tools.
But it's a handy way to stop most automated worms from spreading out,
should one get into your webserver.
More information about the Snort-users