[ ... ]
> Does anyone know of a port scanner that allows you to specify the source
port?
nmap (http://www.insecure.org/nmap/), with the -g option:
-g <portnumber>
Sets the source port number used in scans. Many
naive firewall and packet filter installations make
an exception in their ruleset to allow DNS (53) or
FTP-DATA (20) packets to come through and establish
a connection. [ ... ]
> I'm trying to test a filter that allows outbound only SMTP. My worry is
that
> it is not stateful, and that an attacker using a source port of 25 can
bypass
> the filter.
You don't need to perform stateful filtering to accomplish your goal, but you
do need to pay attention to whether incoming packets from the remote port 25
are "established". Here are some IPFW rules which show the general idea:
# permit SMTP exchange between pi and bjork/fw
$fwcmd add pass tcp from ${pi} ${hiports} to ${bjork} 25
$fwcmd add pass tcp from ${bjork} 25 to ${pi} ${hiports} established
$fwcmd add pass tcp from ${bjork} ${hiports} to ${pi} 25
$fwcmd add pass tcp from ${pi} 25 to ${bjork} ${hiports} established
$fwcmd add pass tcp from ${iip} ${hiports} to ${bjork} 25
$fwcmd add pass tcp from ${bjork} 25 to ${iip} ${hiports} established
# track SMTP from inside to outside and block SMTP from outside
$fwcmd add pass log logamount 20 tcp from ${inet}:${imask} ${hiports} to
any
25 setup
$fwcmd add pass tcp from ${inet}:${imask} ${hiports} to any 25 established
$fwcmd add pass tcp from any 25 to ${inet}:${imask} ${hiports} established
$fwcmd add unreach filter-prohib log tcp from any to ${inet}:${imask} 25
=====
Needless to say, the firewall isn't listening on port 25 (or anything else but
port 22 for sshd), but it does send mail.
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Received on Oct 16 2001
Intro
