Permissive packet filtering
You can construct a packet filter so that it stops packets destined for specified services from passing through an interface. This allows access to all services except those that you specifically block because they may be used to attack your site's systems. A drawback with this approach is that it may implicitly allow an attack on an internal server which is providing a service of which you have no knowledge. ``A packet filter that blocks a limited number of services'' shows a filter that drops packets that are destined for the telnetd, ftpd and rlogind servers but which allows packets for all other services to pass.
A packet filter that blocks a limited number of services
NOTE: As the normal operation of a permissive packet filter is to prevent access to local services from outside, you will usually apply such a filter to the incoming stream of a gateway interface. For PPP, this corresponds to the passin filter.
``Services which you may wish to restrict'' lists some services to which you may want to consider restricting access using a packet filter.
Services which you may wish to restrict
Service
Port/protocol
Description
systat
11/tcp
Display output from ps
systat
11/udp
Display output from ps
netstat
15/tcp
Display output from netstat
netstat
15/udp
Display output from netstat
telnet
23/tcp
telnet server (in.telnetd) port
nameserver
53/tcp
DNS server (in.named) port
nameserver
53/udp
DNS server (in.named) port
tftp
69/udp
TFTP server (in.tftpd) port
finger
79/tcp
finger server (in.fingerd) port
link
87/tcp
ttylink port
sunrpc
111/tcp
RPC bind server (rpcbind) port
sunrpc
111/udp
RPC bind server (rpcbind) port
exec
512/tcp
Remote execution server (in.rexecd) port
login
513/tcp
Remote login server (in.rlogind) port
shell
514/tcp
Remote shell server (in.rshd) port
printer
515/tcp
Print services port
uucp
540/tcp
UUCP daemon port
nfsd
2049/udp
NFS server daemon (nfsd) port
xserver0
6000/tcp
First X server port
NOTE: TFTP service is probably most vulnerable to attack. If possible, block access to TFTP from outside your organization's networks.
See also:
filter(4)
inetd(1Mtcp)
inetd.conf(4tcp)
services(4tcp)
© 1999 The Santa Cruz Operation, Inc. All rights reserved.
UnixWare 7 Release 7.1.1 - 5 November 1999