Configuring packet filters and TCP Wrappers

Permissive packet filtering

You can construct a packet filter so that it stops packets destined for specified services from passing through an interface. This allows access to all services except those that you specifically block because they may be used to attack your site's systems. A drawback with this approach is that it may implicitly allow an attack on an internal server which is providing a service of which you have no knowledge. ``A packet filter that blocks a limited number of services'' shows a filter that drops packets that are destined for the telnetd, ftpd and rlogind servers but which allows packets for all other services to pass.

A packet filter that blocks a limited number of services

NOTE: As the normal operation of a permissive packet filter is to prevent access to local services from outside, you will usually apply such a filter to the incoming stream of a gateway interface. For PPP, this corresponds to the passin filter.

``Services which you may wish to restrict'' lists some services to which you may want to consider restricting access using a packet filter.

Services which you may wish to restrict

Service Port/protocol Description
systat 11/tcp Display output from ps
systat 11/udp Display output from ps
netstat 15/tcp Display output from netstat
netstat 15/udp Display output from netstat
telnet 23/tcp telnet server (in.telnetd) port
nameserver 53/tcp DNS server (in.named) port
nameserver 53/udp DNS server (in.named) port
tftp 69/udp TFTP server (in.tftpd) port
finger 79/tcp finger server (in.fingerd) port
link 87/tcp ttylink port
sunrpc 111/tcp RPC bind server (rpcbind) port
sunrpc 111/udp RPC bind server (rpcbind) port
exec 512/tcp Remote execution server (in.rexecd) port
login 513/tcp Remote login server (in.rlogind) port
shell 514/tcp Remote shell server (in.rshd) port
printer 515/tcp Print services port
uucp 540/tcp UUCP daemon port
nfsd 2049/udp NFS server daemon (nfsd) port
xserver0 6000/tcp First X server port 

 -----------------------------------------------------------------------
| Service   |  Port/protocol|  Description                             |
|-----------|---------------|------------------------------------------|
| systat    |  11/tcp       |  Display output from ps                  |
|-----------|---------------|------------------------------------------|
| systat    |  11/udp       |  Display output from ps                  |
|-----------|---------------|------------------------------------------|
| netstat   |  15/tcp       |  Display output from netstat             |
|-----------|---------------|------------------------------------------|
| netstat   |  15/udp       |  Display output from netstat             |
|-----------|---------------|------------------------------------------|
| telnet    |  23/tcp       |  telnet server (in.telnetd) port         |
|-----------|---------------|------------------------------------------|
| nameserver|  53/tcp       |  DNS server (in.named) port              |
|-----------|---------------|------------------------------------------|
| nameserver|  53/udp       |  DNS server (in.named) port              |
|-----------|---------------|------------------------------------------|
| tftp      |  69/udp       |  TFTP server (in.tftpd) port             |
|-----------|---------------|------------------------------------------|
| finger    |  79/tcp       |  finger server (in.fingerd) port         |
|-----------|---------------|------------------------------------------|
| link      |  87/tcp       |  ttylink port                            |
|-----------|---------------|------------------------------------------|
| sunrpc    |  111/tcp      |  RPC bind server (rpcbind) port          |
|-----------|---------------|------------------------------------------|
| sunrpc    |  111/udp      |  RPC bind server (rpcbind) port          |
|-----------|---------------|------------------------------------------|
| exec      |  512/tcp      |  Remote execution server (in.rexecd) port|
|-----------|---------------|------------------------------------------|
| login     |  513/tcp      |  Remote login server (in.rlogind) port   |
|-----------|---------------|------------------------------------------|
| shell     |  514/tcp      |  Remote shell server (in.rshd) port      |
|-----------|---------------|------------------------------------------|
| printer   |  515/tcp      |  Print services port                     |
|-----------|---------------|------------------------------------------|
| uucp      |  540/tcp      |  UUCP daemon port                        |
|-----------|---------------|------------------------------------------|
| nfsd      |  2049/udp     |  NFS server daemon (nfsd) port           |
|-----------|---------------|------------------------------------------|
| xserver0  |  6000/tcp     |  First X server port                     |
|-----------|---------------|------------------------------------------|

NOTE: TFTP service is probably most vulnerable to attack. If possible, block access to TFTP from outside your organization's networks.

See also:

© 1999 The Santa Cruz Operation, Inc. All rights reserved.
UnixWare 7 Release 7.1.1 - 5 November 1999