Kung Fu Death Match, was Blame it all on the firewall!
Brian Densmore
DensmoreB at ctbsonline.com
Fri Apr 4 23:03:25 CST 2003
All your kung fu are belong to us!
:-p
The Brown Rabbit
> -----Original Message-----
> From: Kurt Kessler [mailto:kessler2k at yahoo.com]
> Sent: Friday, April 04, 2003 4:41 PM
> To: kclug at kclug.org
> Subject: Kung Fu Death Match, was Blame it all on the firewall!
>
>
> Perhaps a CTF event at the next meeting? Prove whose
> kung fu is mightier? The winning Sensei gets to stick
> their tounge out at the other? ;-)
>
> Kurt
>
> --- Jeremy Fowler <jfowler at westrope.com> wrote:
> > > This is whats called a 'work signature'.. You
> > encounter them someday
> > > when some unfortunate company makes the mistake of
> > hiring you into an IT
> > > position.
> >
> > lol
> >
> > > And wtf are you talking about 'blanket
> > blocking'... Do you
> > > usually block outbound connections on certain
> > ports? The only times
> > > that is really nessecary is in a production
> > enviroment (ie, production
> > > servers that should never make outbound
> > connections), or a corporate
> > > network that wants to restrict outbound activity
> > and direct all outbound
> > > traffic through a proxy server. You call it bare
> > minimum, but that is
> > > all he would need if he had no servers, if he had
> > servers he needed open
> > > to the world, afew simple modifications would do
> > just fine.
> >
> > It's always a good idea to limit what goes out your
> > network.
> >
> > > I don't know where this flame came from, but you
> > should know that my
> > > kung-foo and technique are most certainly the
> > greatest.
> > >
> > > Maybe you should try 'blanket blocking' outbound
> > port 25 from now on,
> > > since you seem to be so familiar with firewalling.
> >
> > I got your blocked port right here!
> >
> > > I know openssl master key overflow technique, I
> > know WebDav return
> > > address discovery technique, not to mention tiger
> > claw and lotus.
> >
> > That's funny. Good one.
> >
> > >
> > > See you at the next meeting bitch.
> >
> > Bring it! ;-)
> >
> > >
> > >
> > > Kevin Hodle
> > > CCNA, Network+, A+
> > > Alexander Open Systems
> > > Network Operations Center
> > > (913)-307-2367
> > > kevinh at aos5.com
> > >
> > >
> > > -----Original Message-----
> > > From: Jeremy Fowler [mailto:jfowler at westrope.com]
> > > Sent: Friday, April 04, 2003 1:21 PM
> > > To: kclug at kclug.org
> > > Subject: RE: Blame it all on the firewall!
> > >
> > >
> > > Oh, so we gonna be like that are we. Well, I can
> > nit pick with the best
> > > of them...
> > >
> > > > Actually, the blocking of inbound ports should
> > have no effect on
> > > > outbound connections whatsoever.
> > >
> > > I was talking about "blanket blocking" meaning any
> > packets on those
> > > ports are
> > > assumed to be bad and then are dropped. If this
> > rule comes before the
> > > state
> > > rules it WILL have an effect on outbound traffic.
> > >
> > > > Assuming he has no servers running that he wants
> > the outside world to
> > > > access, a good stateful inspection ruleset would
> > look something like
> > > > this:
> > >
> > > Ok, now why would you go and assume he has no
> > servers/services running?
> > > His original email said "I was doing some port
> > forwarding last night."
> > > Now, why do you think he would be doing port
> > forwarding? Huh? Thought
> > > so.
> > >
> > > > (in psuedo/fw speak)
> > > >
> > > > pass ip from me to any setup
> > > > pass ip from any to me established
> > > > drop ip from any to me (explicit deny)
> > >
> > > That's good? I call it bare minimum.
> > >
> > > >
> > > > .. Note that this would block incoming icmp
> > stuff that was not already
> > >
> > > > established by the host (ie, outbound pings
> > would work, but incoming
> > > > echo requests, redirects, and all other icmp
> > types would be dropped)
> > > >
> > > >
> > > > Kevin Hodle
> > > > CCNA, Network+, A+
> > >
> > > Hrrmm... People who include their alphabet soup
> > after their names think
> > > they need to prove something or are extremely
> > egotistical. A+? Sh*t my
> > > grandma got
> > > A+. Your kung-fu is weak and your dojo smell of
> > trench ass.
> > >
> > > > Alexander Open Systems
> > > > Network Operations Center
> > > > (913)-307-2367
> > > > kevinh at aos5.com
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Jeremy Fowler
> > [mailto:jfowler at westrope.com]
> > > > Sent: Friday, April 04, 2003 12:02 PM
> > > > To: Matt Luettgen; kclug at kclug.org
> > > > Subject: RE: Blame it all on the firewall!
> > > >
> > > >
> > > > Well, it's not an end-all solution. I know that
> > you can configure bo2k
> > >
> > > > to run on any port you choose and it can use
> > either TCP or UDP. So
> > > > limiting those ports only stop the lazy script
> > kiddies. Just blanket
> > > > blocking packets that *might* come from a
> > nefarious application might
> > > > actually stop valid traffic. Most internet
> > applications choose an
> > > > outgoing port at random from the upper range
> > (1024-65536). If by
> > > > chance it chooses a blocked port the connection
> > will obviously fail.
> > > > That's why Statefull firewalls are so wonderful.
> > However, you have to
> > > > setup your rules to make sure that valid
> > Statefull packets are
> > > > accepted - which just might be the case in
> > Matt's situation. Also, a
> > > > good IDS like snort can dismantle the packets
> > and look for
> > > > patterns/fingerprints in the data that match
> > patterns from those apps
> > > > no matter what port they come in on. So there is
> > no one solution to
> > > > network security. It usually requires multiple
> > solutions - with
> > > > back-up solutions for those solutions.
> > > >
> > > > > -----Original Message-----
> > > > > From: owner-kclug at marauder.illiana.net
> > > > > [mailto:owner-kclug at marauder.illiana.net]On
> > Behalf Of Matt Luettgen
> > > > > Sent: Friday, April 04, 2003 9:52 AM
> > > > > To: kclug at kclug.org
> > > > > Subject: Re: Blame it all on the firewall!
> > > > >
> > > > >
> > > > > I know what they are, I'm wondering why
> > smoothwall doesnt have them
> > > > > closed instead of filtered
> > > > >
> > > > > On Fri, 04 Apr 2003 09:22:32 -0600
> > > > > Jason Clinton <jasonclinton at kcpipeband.org>
> > wrote:
> > > > >
> > > > > > Matt Luettgen wrote:
> > > > > > > I was doing some port forwarding last
> > night with smoothwall and
> > > > > > > when I was done I had someone nmap me from
> > the outside world,
> > > > > > > everything looked normal but two ports
> > which concern me because
> > > > > > > of
> > > >
> > > > > > > the windows boxes on the network.
> > > > > > >
> > > > > > > 31337/tcp filtered Elite
> >
> === message truncated ===
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - File online, calculators, forms, and more
> http://tax.yahoo.com
>
>
> majordomo at kclug.org
>
More information about the Kclug
mailing list