Re: Filtering http packet

Leonard (pmfan@infinetgroup.com)
Fri, 1 Aug 1997 15:43:26 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Evan Champion: "A recommended RADIUS configuration?"
Previous message: Mark Conway Wirt: "Re: Radius 2.0 Daemon dying"

On Fri, 1 Aug 1997, Tres Melton wrote:
> On Fri, 1 Aug 1997, Yohannes A Sulistyono wrote:
>
> > Hi,
> > I will set a filter for a specific user to only allow accessing http port
> > 80 (public port) at a specific host.
> >
> > Is this filter below enough to work properly :
> >
> > input filter : permit 0.0.0.0/0 202.152.0.251/32 tcp dst eq 80
> > output filter : permit 202.152.0.251/32 0.0.0.0/0 tcp src eq 80
Your input filter is correct. But you might want to add in DNS (port 53).
Your output filter is will not work for reasons given by Tres. It will
suffice to have it as "permit 202.152.0.251/32 0.0.0.0/0" unless you feel
the need to protect your users with your firewall.
> >
> >TIA,
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Yohannes Aries Sulistyono email : aries@idola.net.id
>
> No, no, no. The request will go out from a user's machine, from an
> unknown host. In other words the initial request will be in the format:
>
> Source IP: user's.host
> Source Port: unknown (but > 1023)
> Dest IP: known.host
> Dest Port: 80
which basically translates to what he already has:
permit 0.0.0.0/0 202.152.0.201/32 tcp dst eq 80
> but because the server must keep port 80 open for more requests it
> transfers the socket to another port on the machine. All packets after
> the original will have an ACK (acknowledge) bit set. This bit can be used
> to distinguishe between a request for a connection and the data of the
> connection! See my earlier email about firewalls and security (packet
> filters) for information on further research as to the connection
> algorithm. But anyway, the actual map of hte connection will be as
> follows:
>
> Source IP: user's.host
> Source Port: unknown (but the same as above)
> Dest IP: know.host
> Dest Port: unknown (but > 1023)
>
> My suggestion:
> Filter In:
> allow only established connections.
> deny everything else
> Filter Out:
> deny everything DANGEROUS
> allow established connections
> allow port 80 to HTTP Server
> allow port 53 to Domain Name Server
> allow ports > 1023
> This allows requests to go out to the port
> allocated by the server's computer for the new
> HTTP requests.
> deny everything else
I hope you don't get offended, but I think you mixed up In and Out. The
PortMasters see filters with as in/out to themselves. So "in" from say S0
is from the user's computer via S0 IN to the PM. And "out" is from the
network to the PM OUT via S0 to the user's computer. Other than that, you
got everything else said :)

Next message: Evan Champion: "A recommended RADIUS configuration?"
Previous message: Mark Conway Wirt: "Re: Radius 2.0 Daemon dying"