Kung Fu Death Match, was Blame it all on the firewall!

Kurt Kessler kessler2k at yahoo.com
Fri Apr 4 22:41:08 CST 2003 

Perhaps a CTF event at the next meeting? Prove whose
kung fu is mightier? The winning Sensei gets to stick
their tounge out at the other? ;-)

Kurt

--- Jeremy Fowler <jfowler at westrope.com> wrote:
> > This is whats called a 'work signature'.. You
> encounter them someday
> > when some unfortunate company makes the mistake of
> hiring you into an IT
> > position. 
> 
> lol
> 
> > And wtf are you talking about 'blanket
> blocking'... Do you
> > usually block outbound connections on certain
> ports?  The only times
> > that is really nessecary is in a production
> enviroment (ie, production
> > servers that should never make outbound
> connections), or a corporate
> > network that wants to restrict outbound activity
> and direct all outbound
> > traffic through a proxy server.  You call it bare
> minimum, but that is
> > all he would need if he had no servers, if he had
> servers he needed open
> > to the world, afew simple modifications would do
> just fine.  
> 
> It's always a good idea to limit what goes out your
> network. 
>  
> > I don't know where this flame came from, but you
> should know that my
> > kung-foo and technique are most certainly the
> greatest.  
> >
> > Maybe you should try 'blanket blocking' outbound
> port 25 from now on,
> > since you seem to be so familiar with firewalling.
> 
> I got your blocked port right here!
>  
> > I know openssl master key overflow technique, I
> know WebDav return
> > address discovery technique, not to mention tiger
> claw and lotus.
> 
> That's funny. Good one.
> 
> > 
> > See you at the next meeting bitch.
> 
> Bring it! ;-)
> 
> > 
> >  
> > Kevin Hodle
> > CCNA, Network+, A+
> > Alexander Open Systems
> > Network Operations Center
> > (913)-307-2367
> > kevinh at aos5.com
> > 
> > 
> > -----Original Message-----
> > From: Jeremy Fowler [mailto:jfowler at westrope.com] 
> > Sent: Friday, April 04, 2003 1:21 PM
> > To: kclug at kclug.org
> > Subject: RE: Blame it all on the firewall!
> > 
> > 
> > Oh, so we gonna be like that are we. Well, I can
> nit pick with the best
> > of them...
> > 
> > > Actually, the blocking of inbound ports should
> have no effect on 
> > > outbound connections whatsoever.
> > 
> > I was talking about "blanket blocking" meaning any
> packets on those
> > ports are
> > assumed to be bad and then are dropped.   If this
> rule comes before the
> > state
> > rules it WILL have an effect on outbound traffic.
> > 
> > > Assuming he has no servers running that he wants
> the outside world to 
> > > access, a good stateful inspection ruleset would
> look something like
> > > this:
> > 
> > Ok, now why would you go and assume he has no
> servers/services running?
> > His original email said "I was doing some port
> forwarding last night."
> > Now, why do you think he would be doing port
> forwarding? Huh? Thought
> > so.
> > 
> > > (in psuedo/fw speak)
> > >
> > >  pass ip from me to any setup
> > >  pass ip from any to me established
> > >  drop ip from any to me (explicit deny)
> > 
> > That's good? I call it bare minimum.
> > 
> > >
> > > .. Note that this would block incoming icmp
> stuff that was not already
> > 
> > > established by the host (ie, outbound pings
> would work, but incoming 
> > > echo requests, redirects, and all other icmp
> types would be dropped)
> > >
> > >
> > > Kevin Hodle
> > > CCNA, Network+, A+
> > 
> > Hrrmm... People who include their alphabet soup
> after their names think
> > they need to prove something or are extremely
> egotistical. A+? Sh*t my
> > grandma got
> > A+. Your kung-fu is weak and your dojo smell of
> trench ass.
> > 
> > > Alexander Open Systems
> > > Network Operations Center
> > > (913)-307-2367
> > > kevinh at aos5.com
> > >
> > >
> > > -----Original Message-----
> > > From: Jeremy Fowler
> [mailto:jfowler at westrope.com]
> > > Sent: Friday, April 04, 2003 12:02 PM
> > > To: Matt Luettgen; kclug at kclug.org
> > > Subject: RE: Blame it all on the firewall!
> > >
> > >
> > > Well, it's not an end-all solution. I know that
> you can configure bo2k
> > 
> > > to run on any port you choose and it can use
> either TCP or UDP. So 
> > > limiting those ports only stop the lazy script
> kiddies. Just blanket 
> > > blocking packets that *might* come from a
> nefarious application might 
> > > actually stop valid traffic. Most internet
> applications choose an 
> > > outgoing port at random from the upper range
> (1024-65536). If by 
> > > chance it chooses a blocked port the connection
> will obviously fail. 
> > > That's why Statefull firewalls are so wonderful.
> However, you have to 
> > > setup your rules to make sure that valid
> Statefull packets are 
> > > accepted - which just might be the case in
> Matt's situation. Also, a 
> > > good IDS like snort can dismantle the packets
> and look for 
> > > patterns/fingerprints in the data that match
> patterns from those apps 
> > > no matter what port they come in on. So there is
> no one solution to 
> > > network security. It usually requires multiple
> solutions - with 
> > > back-up solutions for those solutions.
> > >
> > > > -----Original Message-----
> > > > From: owner-kclug at marauder.illiana.net 
> > > > [mailto:owner-kclug at marauder.illiana.net]On
> Behalf Of Matt Luettgen
> > > > Sent: Friday, April 04, 2003 9:52 AM
> > > > To: kclug at kclug.org
> > > > Subject: Re: Blame it all on the firewall!
> > > >
> > > >
> > > > I know what they are, I'm wondering why
> smoothwall doesnt have them 
> > > > closed instead of filtered
> > > >
> > > > On Fri, 04 Apr 2003 09:22:32 -0600
> > > > Jason Clinton <jasonclinton at kcpipeband.org>
> wrote:
> > > >
> > > > > Matt Luettgen wrote:
> > > > > > I was doing some port forwarding last
> night with smoothwall and 
> > > > > > when I was done I had someone nmap me from
> the outside world, 
> > > > > > everything looked normal but two ports
> which concern me because 
> > > > > > of
> > >
> > > > > > the windows boxes on the network.
> > > > > >
> > > > > > 31337/tcp  filtered    Elite
> 
=== message truncated ===

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com

More information about the Kclug mailing list