Installing and Administering PPP

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software

111

112

113

114

115

116

117

118

119

120

112 Chapter 5

Security Techniques

Writing a Stanza - A Complex UDP Example

domain port, does not have a source address of the domain name server.

After making the change to accommodate the differences, by removing

the restriction on direction (‘send') and relaxing the restriction on

address, you have replaced rule (3) with the edited rule resembling (4).

(2) udp/192.168.199.11/dstport=domain

(4) udp/192.168.199.11/srcport=domain/dstport=1024-65535

Step 4 - Minimizing External Control of Data Passing

through the Packet Filter

Up to this point the rules have always been based on the trust of data

under local control. With static ﬁltering, the second rule now permits

data that is under external control through the packet ﬁlter.

protocol is UDP AND

source or destination IP address is 192.168.199.11 AND

source port is domain (53) AND

destination port is in the range 1024-65535

then

permit the packet to pass

This means that an external host can send UDP packets from port 53 to

any unprivileged port on the domain name server without requiring an

internal initiator. Unfortunately, there are a number of assigned ports,

such as the normal default NFS port (2049/udp), which are allocated out

of the unprivileged port range and can present security problems. You

can minimize the risk by reducing services on your domain name server

and by adding additional rules to block access to those services before the

second rule. If you explicitly block access to the port ﬁrst, the packet will

not reach the rule that gives it permission to pass because the ﬁlter stops

as soon as a match is found

Finally, an internal user on a local host other than the domain name

server may use the ‘server’ command of ‘nslookup’ to change the default

server. In this case, the packet is not sent to the local domain name

server but directly to the external domain name server.

any.unpriv -> any.domain # the outbound domain request

any.unpriv <- any.domain # the inbound response to the request

Once again, permitting the trafﬁc to pass requires adding two additional

rules, labeled (d) in the example, to group (a) (b) and (c). Now there are a

total of 8 rules.

(d) udp/srcaddr=192.168.199.0/srcport=1024-65535/send/dstport=domain

udp/dstaddr=192.168.199.0/dstport=1024-65535/recv/srcport=domain