Re: Firewall Question
From: Paul Devisser (groups@goopie.com)Date: 06/14/02
- Previous message: bmonkman@icsalabs.com: "RE: Firewall Question"
- In reply to: Vincent DiCarlore: "Firewall Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul Devisser" <groups@goopie.com> To: "Vincent DiCarlore" <dicarlore@hotmail.com> Date: Fri, 14 Jun 2002 14:24:01 -0400
Greetings,
I think you misunderstand on of the basics of firewall configuration...
Your basic typical firewall has a trusted and an untrusted interface. The
trusted is internal, the untrusted is external. If you open port 80 on the
external interface, then people outside can initiate traffic through the
firewall on that port... unless you are running a specific service (like a
web server) on that port, allowing that kind of access is not a good idea.
Try allowing internal -> external traffic. If you want your users only to
access websites, restrict that to http. Deny all external -> internal. As
simple as that. Of course, it get more complicated if the firewall is
performing NAT, and external IPs are being specifically forwarded to
internal machines, etc.
Try the following for more information
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/bafw
cfg.htm
Also, when you go to visit a web page from your machine, it doesn't open
port 80 on the local machine, it opens a random port to initiate the
connection to port 80 on the remote IP... an example from running netstat on
my machine here at work...
Proto Local Address Foreign Address State
TCP rbeckett:2059 www.cisco.com:80 LAST_ACK
TCP rbeckett:2078 www.google.com:80 ESTABLISHED
TCP rbeckett:2079 www.google.com:80 ESTABLISHED
TCP rbeckett:2080 www.cisco.com:80 ESTABLISHED
TCP rbeckett:2737 209.61.191.170:80 CLOSE_WAIT
As you notice, internal traffic originates on random ports... even though
all traffic goes to port 80 on the remote machine... if you only allow
traffic on port 80, all my requests would have been blocked.
Paul Devisser
----- Original Message -----
From: "Vincent DiCarlore" <dicarlore@hotmail.com>
To: <security-basics@securityfocus.com>
Sent: Thursday, June 13, 2002 11:36 AM
Subject: Firewall Question
>
> Hi all,
>
> I have some questions below:
>
> 1. Is PIX firewall a proxy server? If I want to allow internal network to
> access Internet, besides opening port 80 at the access list from internal
> interface going, do I need to open the port 80 from external interface? If
> no, why? Is it because it is a proxy server?
>
> 2. In the case of Cisco router, what should I do in order to allow
Internet
> access from internal? It failed to access Internet when I just allow port
80
> opened in the access list of the internal interface. What port should I
open
> in the external interface?
Just to reiterate a point.. only open ports on the external interface when
you are providing a service on that port... essentially it is a door
allowing people access to your network.
>
> Thank you very much for your information.
>
>
> Best Regards,
> Vincent DiCarlore
>
>
>
>
>
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.368 / Virus Database: 204 - Release Date: 5/29/2002
- Previous message: bmonkman@icsalabs.com: "RE: Firewall Question"
- In reply to: Vincent DiCarlore: "Firewall Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
