home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.tcp-ip
- Path: sparky!uunet!cs.utexas.edu!torn!maccs!beame
- From: beame@maccs.dcss.mcmaster.ca (Carl Beame)
- Subject: Re: Stopping only incoming TCP connections (was: Firewall usage)
- Message-ID: <1992Jul31.001141.2305@maccs.dcss.mcmaster.ca>
- Organization: McMaster University, Hamilton, Ontario, Canada.
- References: <17011@ulysses.att.com> <1992Jul28.202211.14029@shearson.com> <chrisc.21.712446813@ramrod.lmt.mn.org>
- Date: Fri, 31 Jul 1992 00:11:41 GMT
- Lines: 30
-
- In article <chrisc.21.712446813@ramrod.lmt.mn.org> chrisc@ramrod.lmt.mn.org (Chris Cox) writes:
- >In article <1992Jul28.202211.14029@shearson.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
- >
- >>I was under the impression that if you filter all the SYN packets from
- >>one direction that aren't SYN ACKs, bingo, you can't initiate any
- >>incoming TCP connections. Nice and stateless. The only flaw is that
- >>implementations that seperately ACK the initiating SYN and then send
- >>their own SYN won't be able to connect, but they are rare. Connections
- >
- >That would eliminate your users from starting ftp data sessions (wouldn't
- >it?).
- >
-
- If your Firewall stopped all remote TCP packets with SYNs which are
- for ports < 1024 except Domainname and SMTP, you could still FTP out and
- receive mail and possibly domainname requests. For UDP you might want
- to inhibit port 111 (portnampper) and 2049 (nfs) and possibly TFTP.
-
- A properly configured Firewall Router can allow access from the
- local net onto the Internet and even allow Internet access to specific
- services or servers on the local net. For Example: If you want to provide
- anonymous FTP from a single host on your local net, just configure the
- router to pass FTP SYN requests only to the specific host.
-
- - Carl Beame
- Beame & Whiteside Software Ltd.
-
- P.S: I don't know of any comercial router which can do all this, but public
- domain ones could be modified.
-
-