Home page logo

basics logo Security Basics mailing list archives

Re: Avoiding tunnels
From: Neil <neil () voidfx net>
Date: Thu, 02 Mar 2006 17:25:45 +0530

David Gillett wrote:
I think if you tell the firewall only to accept HTTP on port 
80, that'll do the trick (requires stateful inspecting firewall).

  Unfortunately, that's not what stateful inspection is.

  When a packet filter receives a packet, it looks at the source,
destination, port numbers and flags, and decides to permit or
drop the packet *in isolation*.
  A *stateful* packet filter maintains a list of current active
connections.  A packet that is appropriate for the "state" of a 
current connection sails on through.  (It might change the state
of the connection-table entry, if, for instance, the FIN or RST
flags are set....)

  That leaves four other cases to be dealt with:

1.  This packet is trying to start a new connection, which matches
a "permit" rule.  Add the connection (in its initial state) to the
connection table.

2.  This packet is trying to start a new connection, which matches
a deny/drop/reject rule.

3.  This packet isn't trying to start a new connection (at least by
normal rules...), and doesn't match an existing connection in the
table.  A non-stateful packet filter would have let this by, but
by being stateful, we can block it.  [I see an awful lot of unsolicited
SYN-ACK packets, and sometimes applications seem to be willing to 
accept that as a connection....]

4.  Special protocols, such as FTP.  Having established initial
contact (see #1), client and server agree to begin additional
connections on arbitrary ports.  With a non-stateful packet filter,
the only way I can permit these protocols is by leaving huge swaths 
of open ports.  But a stateful packet-inspection implementation can
"listen in" on the conversation and make an appropriate entry in the 
connection table (actually, usually, a temporary entry in the "permit"

  You may perhaps have been thinking of "deep inspection", where the
firewall knows about protocol details and so can, for instance, verify
that that stuff using port 80 is really HTTP.

David Gillett

I was (thinking of deep inspection).  My mistake, thanks for the correction.

"I'm not here. You're not there. Don't leave a message. There is no beep."
--Jean Paul Satre's answering machine.

The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]