On 22 Apr, Doug Roberts wrote:
> Hi all -
>
> I apologize for what is a pretty off-topic post. Although it does involve
> RH Linux...
>
> I've just been asked to allow UDP through the (RH Linux) firewall, and
> would like opinions on the safety of doing so. A summary of possible
> compromises to the NT/Win95 network behind the firewall is what I'm after -
> compromises that wouldn't be possible if UDP was blocked. I've cruised the
> Firewalls list archives, but the search is disabled, and there's a lot of
> reading to do.
>
> I'd also appreciate a pointer to info on how to secure the firewall if I do
> indeed have to pass UDP (port blocking and the like).
>
> Again, I apologize for the OT post - I'm not on the Firewall list, and
> subscribing just to ask a newbie question would likely irritate them as
> badly as this might irritate you.
Well - a good idea of what goes on on 'priveleged' udp ports can be
obtained by looking at /etc/services. Quite what (if any) protection a
priveleged port number has on Win95 or NT is anybody's guess - I would
expect any user on win95 will be able to download and start a server on
a priveleged port (on Linux/Unix this requires root privelege). Win NT
has more of a concept of users and may actually require preople to have
Administrator priveleges to do this. Some of the things that could
cause you problems...
ntp 123/udp # Network Time Protocol
Want your clocks reset remotely if you run a time client?
tftp 69/udp
Oh wow...
etc etc
However, this does not cover the most heinous possibility for a Unix
system - NFS (which operates on udp above port 1023). It also means
that a local user could start a server/client on any unpriveleged port
that people on the Internet could get at freely - given the trojans
that are around (to say nothing of security holes) in win95/NT
software, you would be literally compromising your entire network. You
simply won't have any control on what DOES happen on UDP.
If people have a legitimate need to offer or access services on
specific UDP ports, then open these up in a secure fashion (and
preferably put the servers out on a DMZ LAN separated from your
working LAN by an interior firewall).
--
Robert Hart [EMAIL PROTECTED]
Red Hat Software Inc. Phone: +1-919-547-0012 Fax: +1-919-547-0024
4201 Research Commons Suite 100, 79 TW Alexander Dr., Research Triangle Park,
NC 27709, USA
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
