网络安全理论与技术09—防火墙精讲.ppt

* Table 9.1, from the text gives some examples of packet filtering rule sets. In each set, the rules are applied top to bottom. The * in a field is a wildcard designator that matches everything. We assume that the default = discard policy is in force. A. Inbound mail is allowed (port 25 is for SMTP incoming), but only to a gateway host. However, packets from a particular external host, SPIGOT, are blocked. B. This is an explicit statement of the default policy, usually implicitly the last rule. C. This rule set is intended to specify that any inside host can send mail to the outside. A TCP packet with a destination port of 25 is routed to the SMTP server on the destination machine. Problem is that 25 as SMTP is only a default; an outside machine could be configured to have some other application linked to port 25. D. This rule set achieves the intended result that was not achieved in C. This rule set allows IP packets where the source IP address is one of a list of designated internal hosts and the destination TCP port number is 25. It also allows incoming packets with a source port number of 25 that include the ACK flag. This takes advantage of a feature of TCP connections that once set up, the ACK flag of a TCP segment is set to acknowledge segments sent from the other side. E. This rule set is one approach to handling FTP which uses two TCP connections: a control connection and a data connection for the actual file transfer. The data connection uses a different dynamically assigned port number for the transfer. Most servers, and hence most attack targets, live on low-numbered ports; most outgoing calls tend to use a higher-numbered port, typically above 1023. Rule set E points out the difficulty in dealing with applications at the packet filtering level. * A firewall is positioned to provide a protective barrier between an external, potentially untrusted source of traffic and an internal network. With that general principal in mind, a security administrator mu