Installing and Administering PPP

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software

121

122

123

124

125

126

127

128

129

130

126 Chapter 5

Security Techniques

Open Policy Filter Example

Block any incoming packets that claim to be from your net, and block any

outgoing packets that claim to be destined for your net. Respond with an

ICMP Destination Unreachable message that has the Bad Net code

value.

!127.0.0.0;8 # block IP spoofing attacks

Silently block all packets that claim to be either to or from the loopback

network.

!dstport=ident/recv/unreach=rst # block IDENT service (113/tcp)

You do not use the RFC 1413 identiﬁcation services, so you might as well

bounce the queries at the gateway instead of having inetd refuse the

connection. Respond with a TCP RST message. This does not improve

the security of your packet ﬁlter, since the packets would be blocked by

the ﬁnal ‘!all’, but it does reduce the delay in services that make use of

‘ident’.

!chargen/unreach=prohibited # block chargen service

# (19/tcp,19/udp)

!discard/unreach=prohibited # block discard service

# (9/tcp,9/udp)

!echo/unreach=prohibited # block echo service

# (7/tcp,7/udp)

Block access to your ‘‘character generator” port, and two others, because

they are only meant as testing facilities and could be used by someone

outside to swamp your network's bandwidth with unwanted, but

otherwise harmless, trafﬁc.

!5/icmp # block ICMP_REDIRECT

Block ICMP redirect messages since the routing on an internal node

should not be changed by an external site.

!sunrpc # block portmap (sunrpc 111/tcp,111/udp)

!exec # block rexecd (512/tcp)

!login # block rlogind (513/tcp)

!shell # block rshd (514/tcp)

!syslog # block syslogd (514/udp)

!printer # block lpd (515/tcp)

!2049/udp # block nfsd (2049/udp)

Block access to a number of services that depend upon IP addresses for

authentication, or that have no authentication built-in.

!tftp # block tftp (69/udp)

Block access to the tftp port because it is sometimes buggy and thus

permit access to ﬁles that should not be distributed, such as password

ﬁles. It is normally only used locally and should not be receiving requests

from outside the local area network.