Installing and Administering PPP
Chapter 5 109
Security Techniques
Writing a Stanza - A Complex UDP Example
The packet exchange looks similar to those shown below, where the
entries mean the following:
• ‘dns’ is the IP address of the domain name server
• ‘domain’ is UDP port 53
• ‘any’ is any IP address on the inside or outside network (as
appropriate)
• arrows represent the direction of travel
dns.domain -> any.domain # the outbound domain request
dns.domain <- any.domain # the inbound response to the request
In appearance, this is similar to an actual log file entry. The diagram
explains fields in a normal log entry.
udp 192.168.199.11/domain -> 10.0.5.1/domain 124
^ ^ ^ ^ ^ ^ ^
| | | | | | |
| | | | | | + packet size (bytes)
| | | | | + foreign port
| | | | + foreign address
| | | + direction
| | + local port
| + local address
+ protocol
Developing Safer Domain Name Request
Rules
An Exercise in Simplifying Rules
This section illustrates a process you might go through to develop
domain name rules. Throughout the steps, the illustration includes two
paths you might take. The first shows how individual rules might be
developed. The second shows how the first rules can be condensed with
the same results. After each group of rules, we will evaluate the
progress, considering loopholes that might be created by the way the
rules have been written. Throughout the examples we will use
192.168.199.11 to represent the IP address of the domain name server.
Step 1 - Handling Domain Name Requests
The first example attempts to map each packet description into a
separate rule to permit these packets through the pass filter. This
results in two rules similar to the following: