Re: [fw-wiz] terminal services
From: Barney Wolff (barney@pit.databus.com)
Date: 01/28/03
- Next message: R. DuFresne: "RE: [fw-wiz] terminal services"
- Previous message: Paul D. Robertson: "RE: [fw-wiz] terminal services"
- In reply to: Paul D. Robertson: "RE: [fw-wiz] terminal services"
- Next in thread: m p: "RE: firewall design (was: RE: [fw-wiz] terminal services )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Barney Wolff <barney@pit.databus.com> To: firewall-wizards@honor.icsalabs.com Date: Tue Jan 28 19:21:02 2003
On Tue, Jan 28, 2003 at 06:56:21PM -0500, Paul D. Robertson wrote:
>
> (UDP 1434)
> It's an ephemeral port- just blocking it may make random stuff not work in
> some situations (like say DNS...)
Any network without a state-keeping firewall between it and the Internet
really needs to have just one or two DNS cacheing proxies doing requests
from port 53, ditto NTP, and block all other UDP. Anything else is just
too dangerous, not by a little, but by a whole lot.
This worm sent from random source ports, but the next one will surely
send from 53 or 123, and all the folks who have allow any 53 to any
rules will get hit. Together with the folks who have allow any 20 to any.
Some things just can't be done safely without state, so if you need to
do them, you need to keep state.
-- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
- Next message: R. DuFresne: "RE: [fw-wiz] terminal services"
- Previous message: Paul D. Robertson: "RE: [fw-wiz] terminal services"
- In reply to: Paul D. Robertson: "RE: [fw-wiz] terminal services"
- Next in thread: m p: "RE: firewall design (was: RE: [fw-wiz] terminal services )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
