February 1995

		Packet Filtering for Firewall Systems

If your site isn't filtering certain TCP/IP packets, it may not be as
secure as you think.

When the CERT Coordination Center started in 1988, it was our opinion that
security was the responsibility of the system and not the network.  While we
still believe it is important for system managers to be aware of security
issues and to continue to be diligent in securing their systems, we realize
that this effort will not protect your site from the exploitation of flawed
protocols.

The CERT staff encourages system managers, site network managers, and regional
network providers to take the time to understand packet filtering issues. 
Because of the flaws in several TCP/IP services, a site must be able to
restrict external access to these services.  Sites should consider purchasing
programmable routers. Network providers should offer packet filtering as a
service option.

Because of flaws in the protocol or chronic system administration
problems, we recommend that the following services be filtered:

	DNS zone transfers - socket 53 (TCP)
        tftpd              - socket 69 (UDP)
	link               - socket 87 (TCP) (commonly used by intruders)
        SunRPC & NFS       - socket 111 and 2049 (UDP and TCP)
	BSD UNIX "r" cmds  - sockets 512, 513, and 514 (TCP)
        lpd                - socket 515 (TCP)
        uucpd              - socket 540 (TCP)
        openwindows        - socket 2000 (UDP and TCP)
        X windows          - socket 6000+ (UDP and TCP)

We suggest that sites filter socket 53 (TCP) to prevent domain name service
zone transfers.  Permit access to socket 53 (TCP) only from known secondary
domain name servers.  This prevents intruders from gaining additional
knowledge about the systems connected to your local network.

We have handled incidents that involved automated TFTP attempts.  Many of the
systems affected were using the TFTP daemon to boot other devices.  Filtering
TFTP connections would have protected the sites from this attack.

The X windows sockets range from socket 6000 to 6000 plus the highest number
of X terminals on the same host.

If your site does not need to provide other services to external users,
those other services should be filtered.  For example, filter
telnet connections when all staff members are in the office, and filter FTP
connections to all systems except to public information servers.

In addition to filtering specific services, we recommend that sites also
filter based on the source address field of the packets to prevent IP
spoofing.  More information on this technique can be found in CERT advisory
CA-95:01, "IP Spoofing Attacks and Hijacked Terminal Connections," available by
anonymous FTP from

       info.cert.org:/pub/cert_advisories

To prevent denial of service attacks based on ICMP bombs, filter ICMP redirect
and ICMP destination unreachable packets. In addition, sites should filter
source routed packets.


Copyright 1995 Carnegie Mellon University

This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.


*CERT is a service mark of Carnegie Mellon University.

The CERT Coordination Center is sponsored by the Advanced Research Projects
Agency (ARPA). The Software Engineering Institute is sponsored by the U.S.
Department of Defense.
