Manualshelf

Installing and Administering PPP

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software
111112113114115116117118119120
Chapter 5 111
Security Techniques
Writing a Stanza - A Complex UDP Example
In this situation, if you combined the original rules as in example (2), it
can be modified to permit the inbound request by removing the
restriction on ‘srcport’. However, the revised rule (2) still blocks the
outbound response, causing the query to fail. To permit the outbound
packet, you must add another rule following rule (2). Call it rule (3).
(2) udp/192.168.199.11/dstport=domain
(3) udp/srcaddr=192.168.199.11/srcport=domain/send/dstport=1024-65535
Comparing the examples (a) and (b) to examples (2) and (3), you have
reduced the number of rules needed from 4 to 2.
When trying to simplify, it is important you double check your
assumptions. You should not use "udp/192.168.199.11/srcport=domain",
although it would permit the query to succeed, because it also matches
packets that should not be permitted. That rule is similar in function to
this pseudo code that follows it.
(2) udp/192.168.199.11/srcport=domain
if
protocol is UDP AND
source or destination IP address is 192.168.199.11 AND
source port is domain (53)
then
permit the packet to pass
This means an outside host sending a UDP packet from port 53 to
192.168.199.11 can access ANY destination port, including privileged
ports used by other services. This would not be "safe".
Similarly, if an internal user on the domain name server uses an
application such as ‘nslookup’ to send a query directly to another domain
name server, rather than sending the query to the local domain name
server, the packet traces and rules needed to deal with them will change.
dns.unpriv -> any.domain # the outbound domain request
dns.unpriv <- any.domain # the inbound response to the request
Step 3 - Matching Packets as Closely as Possible
If you want your templates to match the packets as closely as possible,
you must add two further rules (c) to (a) and (b). You now have 6 rules if
you have not attempted to condense the rules.
(c) udp/srcaddr=192.168.199.11/srcport=1024-65535/send/dstport=domain
udp/dstaddr=192.168.199.11/dstport=1024-65535/recv/srcport=domain
If you have simplified rules (a) and (b) and have used rules (2) and (3),
the additional packets also cause rule (3) to block some of the necessary
traffic. This is because the inbound packet, while originating from the