[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: IP Filters?
From:       Darren Reed <avalon () coombs ! anu ! edu ! au>
Date:       1997-07-05 4:56:37
[Download RAW message or body]

In some mail from Travis Hassloch, sie said:
> 
> It doesn't keep connection state in the packet like TCP does,
> but that doesn't mean a gateway can't.  Besides, if you
> rely on what the TCP flags say you're opening yourself
> up to passive port scans (i.e. scans based on packets with ACK
> set).

Not if you've half a clue about things.  Some vendors are missing
half a clue but.

> >Note: ingress traffic filtering is a concept of filtering
> >traffic leaving your administrative domain so that only
> >traffic which is announced via routing (e.g BGP) is allowed
> >to exit your routing domain. This does nothing to protect
> >you from an attack, but it does disallow downstream users
> >from launching attacks using nonexistent source addresses.
> 
> Is this the multi-network equivalent of blocking outgoing
> packets which don't appear from being part of your internal
> network?

Yes.  Something all routers should do, anyway.

[prev in list] [next in list] [prev in thread] [next in thread]