Installing and Administering PPP
Chapter 5 121
Security Techniques
Closed Policy Filter Example
Allow incoming electronic mail connection requests to reach your SMTP
server, allow no other incoming SMTP connection requests, and allow
yourself unlimited outbound SMTP access.
www/syn/recv/192.168.199.13/dst # (80/tcp)
!www/syn/recv/unreach=host #
www #
Allow incoming World Wide Web connection requests to reach your
WWW server. Allow no other incoming WWW connection requests. And
allow yourself unlimited outbound WWW access.
!dstport=ident/recv/unreach=rst # block IDENT service (113/tcp)
You do not use the RFC 1413 identification services, so you might as well
bounce the queries at the gateway instead of having inetd refuse the
connection. Respond with a TCP RST message. This does not improve
the security of your packet filter, since the packets would be blocked by
the final ‘!all’, but it does reduce the delay in services that make use of
‘ident’.
!telnet/syn/recv/unreach=prohibited # block inbound TELNET
# requests
telnet # permit TELNET messages
Allow outbound telnet connections from your network to anywhere else.
!finger/syn/recv/unreach=prohibited # block inbound FINGER
# requests
finger # permit FINGER messages
Block incoming finger requests until you install a safe finger daemon.
ftp/syn/recv/dst/192.168.199.12 # permit inbound FTP for anon FTP
!ftp/syn/recv/unreach=host # block inbound FTP
# requests
Allow incoming FTP (file transfer) traffic that uses your Anonymous FTP
server system, but block any other incoming FTP requests. Respond
with an ICMP Destination Unreachable message with the Bad Host code
value.
ftp # permit FTP messages
srcport=ftp-data/dstport=1024-65536/syn
!ftp-data/syn # block other FTP-DATA connections
ftp-data # permit FTP-DATA messages
After blocking the traffic specified above, allow both FTP command
streams and FTP data streams to cross the link, both inbound and
outbound.
dstport=33410-33515/udp/send # permit outbound traceroute operation