[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sidewinder
Subject:    RE: [Sidewinder] drop port 80 packets by IP filter
From:       Blahut Randall M SSgt 83 CS/SCNO <randall.blahut () langley ! af ! mil>
Date:       2001-09-24 23:29:42
[Download RAW message or body]

Unfortunately, the discard IP filter configuration can be very complicated.
I recently discovered that certain numbers of significant bits combined with
certain address blocks within the IP filter cause these discard rules to not
work as expected.  The entire idea was to prevent unnecessary ACL
processing...  but it came at the cost of more configuration headache
upfront.  Fortunately, we can create these rules and leave them commented
out within /etc/sidewinder/ipfitlter.conf until the need arrises.  You will
lose these and other "comments" if you use the GUI or "cf ipfilter" to add
or modify IP filters.

If you create an allow TCP IP filter, it will circumvent any listening
proxy.  This may or may not be a concern.  It would be nice if Secure
Computing would allow you to create a a forward-to-listening-socket IP
filter rule syntax so you can combine layer 3 speed with application-layer
defenses.


SSgt Randy Blahut
ACC NOSC Network Security Team
83 CS/SCNN
Langley AFB, Virginia
DSN:  312-574-6563 or 4968
Commercial: 757-764-6563 or 4968
randall.blahut@langley.af.mil


-----Original Message-----
From: Akihiro Shirahashi [mailto:sirahasi@netone.co.jp]
Sent: Saturday, September 22, 2001 4:25 AM
To: sidewinder@adeptech.com
Subject: [Sidewinder] drop port 80 packets by IP filter



Blahut Randall M SSgt 83 CS/SCNN <randall.blahut@langley.af.mil> wrote:
at Wed, 19 Sep 2001 16:34:52 -0400:

>If you're using Sidewinder 5.1.x or later, the HTTP proxy can deny URLs
>longer than a certain length.  You can also minimize the impact on your
>firewall(s) by creating discarding TCP IP filters to drop port 80 packets
to
>everything except whats allowed.  The ACL already does this, but this
should
>save considerable ACL processing. 

If the relevant address space is 157.2.21/24 and there is one IP address
157.2.21.1 redirected to a Web server, 254 addresses from 157.2.21.2 to
157.2.21.255 should be filterd out by IP filter.

In order to do this, we should define the following 7 IP filter rules:

drop packets to 157.2.21.2/31   (2-3)
drop packets to 157.2.21.4/30   (4-7)
drop packets to 157.2.21.8/29   (8-15)
drop packets to 157.2.21.16/28  (16-31)
drop packets to 157.2.21.32/27  (32-63)
drop packets to 157.2.21.64/26  (64-127)
drop packets to 157.2.21.128/25 (128-255)

It is a bothersome task to create these kind of rules. If there are
multiple IP address used for Web servers, the rules may become more
complicated.

If the following rules could be defined for IP filter,

allow packets to 157.2.21.1/32 and <pass it to the proxy>
drop packets to 157.2.21/24

the necessary task will be greatly reduced.

Akihiro Shirahashi, Net One Systems Co.,Ltd., Tokyo, Japan
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic