the fundamental problem with the r* tools wasn't trusting an IP address,
it was trusting a 'root' source port.
if you have anti-spoofing filters on your perimiter then the only risk you
run with IP address rules are attacks from the same network. you will have
to look at your own situation to decide what's right for it.
David Lang
On Wed, 30 Apr 2003, Chris de Vidal wrote:
> Date: Wed, 30 Apr 2003 09:06:58 -0700 (PDT)
> From: Chris de Vidal <cdevidal_at_yahoo.com>
> Reply-To: chris_at_devidal.tv
> To: firewall-wizards_at_honor.icsalabs.com
> Subject: [fw-wiz] Trust an IP? (IPTables)
>
> I need to allow a backup server to connect to its port
> (20031) on a server running IPTables. I recall all of
> the security risks of trusting an IP (r* tools). Is
> it safe to allow a specific IP to connect to a
> specific port through the firewall? Something like
> this:
> MY_IP=123.456.789.11
> BACKUP_SERVER=123.456.789.10
> iptables -A INPUT -s $BACKUP_SERVER -i eth0 --dport \
> 20031 -j ACCEPT
> (Also allow related/established traffic)
>
> If someone sniffed that traffic, they might spoof that
> IP and start probing that port for vulnerabilities.
>
> Locking it to the MAC address might be even better,
> but perhaps even that can be spoofed. That's why I'm
> asking the pros.
>
> So is it safe to trust an IP to connect to one port,
> ala the old r* tools? If not, what is a good alternative?
>
> =====
> /dev/idal
> "GNU/Linux is free freedom" --Me
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on May 01 2003
Intro
