Manualshelf

Installing and Administering PPP

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software
121122123124125126127128129130
128 Chapter 5
Security Techniques
Open Policy Filter Example
queries, but TCP for zone transfers. If you try to block inbound requests
for a zone transfer you must remember to add the ‘tcp’ qualifier to the
service name ‘domain’ to prevent a syntax error.
Attempting to Send Hostnames Requiring Resolution
over Down Network Links
You can easily (but mistakenly) use a hostname that needs to be resolved
because it is is not defined or that requires DNS, over a network link that
is down. This causes failures and/or delays. Therefore, we would
strongly recommend the use of only IP addresses in filter files.
Failing to Allow Passage of 'ftp' Data Packets over the
'ftp-data' Port
Less commonly, some people who do not fully understand the protocol
only permit ‘ftp’ packets to pass through their filter. The FTP protocol
actually uses two channels; the first channel is used for commands and
the second port is for used for data. The second channel uses a separate
port, commonly ‘ftp-data’, but that is actually determined during the
FTP negotiations. The second channel is normally a reverse channel
used to transfer data back to the client.
Blocking Packets Required for Network Access
Finally, make sure you permit passage of all packets required for your
network access. Some Internet Service Providers (ISPs) require the use
of a routing protocol and will mark the link inactive if they do not receive
routing packets. This may require a rule in the pass clause of your
ruleset to permit the route packets to traverse the link (for example,
‘route’).
Complete Filter Example
default
bringup
!3/icmp # ICMP unreachable messages
!5/icmp # ICMP redirect messages
!11/icmp # ICMP time exceeded messages
!who # WHO service (513/udp)
!route # routed/gated RIP service (520/udp)
!ntp # Network Time service (123/udp)
all # all other packets pass
!recv/ip-opt=srcrt/unreach=srcfail # block SRCRT attacks
!192.168.199.0/recv/src/unreach=net # block IP spoofing attacks
!192.168.199.0/send/dst/unreach=net # block IP spoofing attacks