[Courses] [Security] Firewall theory -- general

[Raven, corporate courtesan]

Heya --

Quoth Hamster (Mon, Mar 11, 2002 at 11:19:39PM +0100):
> The numbers that the clients choose to initiate from - is that a predefined port, or do they pick it at random?

	It's chosen in a logical order by the client machine.  Generally
they start at a high port number (what that number is varies by OS and
implementation), and add one to that number each time they need to
establish a new client connection.  When they get up to 65,535 they
start over again at their baseline number, I believe, re-using anything
that's freed up.  If any TCP/IP programmers care to add detail or
corrections, that would be welcome.  I know what sort of a progression
of client port numbers you generally see, but I'm guessing as to how
that works inside the stack.

> > When the server sends its reply packets back to the client, they'll be
> > sent to port 35642.  So if you set up a firewall that blocks all ports
> > except for the services you run, you get this:
> > 
> > Client:     ---------------|----|---------------->  Server
> > 10.1.1.47, port 35642      | fw |                   10.1.1.2, port 22
> >                            |   *|----------------
> 
> Ok, now I'm a bit confused here.... If I only block incoming ports, then doesnt that mean that the server can still send stuff out on any port??

	Yes.  And that's the reason for the three different chains that
Coldfire mentioned.  You can filter traffic coming in, going out, being
forwarded, or any combination of the above.  So a cheap and easy way of
making sure that nobody on your network can set up a Web server is to
block anything that's outgoing from their connection with a source port
of 80.  (ISPs that sell cable modems often do this.)  And then if you
pay them the extra money for a business class account, they unblock the
port, and suddenly you're able to run a Web server.
  
> > Any other suggestions for things
> > we might want to look at in our firewall?
> 
> uh oh. Questions like that make me wonder if I have missed something obvious. Like making sure its plugged in.

	One thing we might want to consider is ICMP.  Do we want people
to be able to ping us?  To traceroute to our servers?  We should make
sure we don't break Path MTU discovery; that causes connection problems.
 
> One thing is maybe decide if should drop or deny?

	That's one thing.  The big debate there is between DROP
(silently discard, returning no ICMP error message to the person trying
to make the connection) or REJECT, which does return the error.
Strictly speaking, returning a REJECT is the right thing to do.
However, some people feel that that gives away too much information, and
so they prefer to drop.

Cheers,
Raven
 
"Sed, sed, awk.  Like duck, duck, goose.  Sync, sync, halt.  It's the
 order of nature."
  -- me, after too long a day at work