* Marc Heuse wrote on Fri, Mar 02, 2001 at 01:05 +0100:
Think of all those bloody bastards trying to penetrate your filter by using source ports like 20, 53, 80, and the like.
found by their stealth scan ... (talking about simple "protection" by source port filtering - this is just stupid to rely on :-) Thats exactly the reason why the AUTOPROTECTING feature exists in SuSEfirewall (which is sadly something no other firewalling script has got ... I can only encourage people to cut'n paste ...)
Could you explain the idea? Autoprotecting sounds... well... insecure? But I have no idea what this could be.
Again, waht happens with packets without a SYN flag where there is no connection for them? Yes they can be used for scanning, but if you have a problem beeing scanned, then you have too many exposed systems anyway.
Usually the real important machines/subnets are blocked from such things anyway, or should be ;)
Therefore I recommend not to use iptables until we can call 2.4 stable and tested. not before 2.4.10 or something. but that depends on the security level you want to have
I recommend to use kernel 2.2 for first and 2.4 for second packet filter. If a attacker could use a kernel bug to bypass the firewall, the other kernel release usually should not have the same bug (or combine linux and BSD or so).
an additional problem with stateful filters is that people think they have no a magic bullet for security
Well, but that's the same with simple firewalls and virus scanner ("I can open all attachments, I have a virus scanner!").
single line of defense. The best firewall setup is still and will still be in 5 years from now:
<external-router-with-static-ACLs> | <Application-Gateway-Firewall>------------------<DMZ> | <internal-router-with-static-ACLs>
Well, but in practise there're still a lot of protocols without good and secure proxies, ain't? HTTP, Mail, DNS and others are no problem, but maybe SMB or NFS (yep, I know VPN :)).
lessons learned: time changes technology. it does not change concepts.
We'll see :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.