User manual

ManualsBrandsAlvarion ManualsNetworkingBreezeNET B300 GigE

191

192

193

194

195

196

197

198

199

200

Chapter 4 - Layer 3 Command Set - IP Networking Ipfw Command (IP Firewall)

Alvarion BreezeNET B130/B300 GigE 185 Operational User Manual

A domain name server (DNS) is an example of a server using the UDP protocol (at

port number 53). Assuming that your communications with the outer world all

pass through the rf5.0 interface, the following filter set will provide for proper

interaction between your internal DNS server and external DNS servers while

rejecting any other UDP traffic:

ipfw add accept udp from 0/0 53 to 0/0 53

ipfw add rf5.0 reject udp from 0/0 to 0/0

Though it may appear an easy task, in reality it is very difficult to establish more

open UDP access policy without creating large security holes. If, in particular, you

decide to authorize your internal clients accessing external UDP servers, then you

should take into account the following considerations (the list is far from

exhaustive):

If you have NFS servers, these are traditionally using the UDP port 2049 (TCP

versions of NFS servers also use the port number 2049, which may possibly be

protected by the tcp_connection modifier - see examples above).

Some RPC portmapper implementations have grave security problems. Be very

careful when authorizing external access to your internal portmapper resource (at

TCP or UDP port 111).

Be also very careful in your choice of source and destination ports to authorize.

You might be tempted to authorize external packets arriving from some port

numbers you know. If you do, always remember that a malefactor can easily send

any TCP/IP or UDP/IP packets with any combination of source ports and

addresses replacing his own ones.

Some Microsoft LAN Manager services use UDP. As Microsoft has a visceral

enmity against open secure protocols, and its own implementations have

unprecedented number of bugs and errors, you should better exclude any

possibility for potential malefactors to profit by this security hole:

ipfirewall add rf5.0 reject tcp from 0/0 to 0/0 135:139

ipfirewall add rf5.0 reject udp from 0/0 to 0/0 135:139

This subset of filters protects you quite securely from almost any possible attempt

to break in your internal network having Windows NT/95/98 servers and/or

workstations installed.

IP fragments

The ip_fragment, ip_head_fragment and ip_tail_fragment modifiers are

intended for managing a flow of fragmented IP packets. For better understanding

how you can use them, the following considerations should be taken into account: