Date: Thu, 22 Apr 1999 14:11:46 +0200 From: Valter Mazzaro <valter.mazzaro@ericsson.com> To: freebsd-security@FreeBSD.ORG Subject: Firewalls filtering UDP packets Message-ID: <371F1202.C5F5DD5E@teidns1.tei.ericsson.se>
next in thread | raw e-mail | index | archive | help
Hi, I strongly need a suggestion from you guys!!! I'm not a security expert at all and probably what I'll ask doesn't make so huge sense, but I'm dealing with a particular problem and I hope you could give me a hint. I have a network that is connected to the outside world via an Access Server (Cisco 5200) which terminates dial-in calls. Behind the AS I have a freebsd firewall that let the traffic get in the DMZ, where some IP services are provided (WWW server, DNS, TACACS+, etc.). The DMZ is separated from the internal net from another firewall. For a particular service I need to allow UDP traffic to get in the DMZ. I know that usually is not secure to allow such a traffic in, but I need it anyway and I'd like to have the more secure solution I can. I was thinking to filter packets following these rules: - allow all the IP source addresses assigned by the AS (in a certain pool range) and incoming from the FW interface to which the AS is attacched. - allow all the UDP destination addresses that corresponds to the port number on which the service daemon is listening My questions are 2: 1) In your opinion could this be enough or do you have some further suggestions? 2) This comes from my poor knowledge on Unix internal. I think, not sure :-( , that when a TCP connection is set to a server, the server daemon is listening to a well-known port (like 23 in telnet). If a request comes from a client, the daemon forks the process that start to listen on another socket (by consequence the TCP destination port will change for the packets coming from the clients). Is it the same for UDP? I know that I'm speaking about a connectionless thing, but for my problem it's important to know whether the UDP destination port (not to be filtered in the FW) change. Thank you a lot in advance, sorry for my long text and please reply to my email address as well, as I'm not subscribed to the list at the moment. Valter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?371F1202.C5F5DD5E>