[j-nsp] Meaning of "except" in firewall filters

Tore Anderson tore at linpro.no
Fri Oct 31 05:02:26 EDT 2008 

Hello,

* Dave Diller

> > Why not just do the boolean inverse:
>
> I use this as well, an accept term followed by a reject-all term, as
> it is easier/cleaner for someone not intimately familiar with how the
> clauses match to read this way, so I worry less abut people
> misinterpreting what I've applied on a casual run through.  Myself
> included ;-)  Much easier to debug, too, case in point.

I could've used two terms (as I wrote in the first email), like Kevin 
suggested.  However the fact that "except" didn't work as I thought 
made me curious, and I wanted to figure it out.  Besides, I personally 
prefer terse config files - why have two terms when I can have one?

> I use
>
>      from {
>          protocol tcp;
>          port ssh;
>
> Is there any particular advantage to either method?  I'm matching
> source OR destination port, and I really only need destination, so
> yours IS a bit more fine-grained...

This would allow an attacker to connect to any port on the device, by 
simply binding the source end of the TCP session to port 22.  The 
atttacker would need to have access to the SSH port to begin with, 
which makes it mostly an academic point I guess.

However, if you were to apply this to a device that was running, say, a 
load balancer with port 80 globally accessible, your way of expressing 
it would allow anyone on the internet to connect to the SSH service 
provided that they bothered to bind the source end of the TCP session 
to port 80.  This is a trivial thing to do, so in my opinion it's best 
to have a habit of always be as specific as possible.

Another thing is that «port» isn't supported on my EX series switches, 
there I have to use {destination,source}-port, so I might as well do 
that on my routers too so I can copy&paste the term from them.  Another 
thing that sucks about the EX series is that I can't figure out how to 
debug what's dropped in the firewall filters («syslog» isn't 
supported), so if I reject everything in the fallthrough term it's 
really hard to tell if I've forgot about something or not.  If anybody 
knows of a way to debug filters on the EX I'd be very grateful for any 
tips!

> >        then {
> >            log;
> >            reject tcp-reset;
>
> I've been using discard here.  Sure, it ties up MY resources as well
> as theirs, but I've also got "ssh rate-limit 10" so am not overly
> concerned (and I'm fine tying them up as long as possible).  Perhaps
> if it were a DDOS SSH attack I might start to notice...

I don't see how «discard» will tie up your resources?  «reject» (as well 
as «reject tcp-reset») will cause the router to generate a reply packet 
politely telling the client to sod off, so there's a (miniscule) 
processing overhead to it.  «discard», on the other hand, will just 
silently ignore the packet, so that's the option with the least 
overhead.  None of the alternatives will actually cause the RE to 
handle the SSH connection attempt.

> Curious about the effects of the various options, I just tried a few
> of them.
>
> 'Discard' gives a 90 second timeout and a "Connection timed out"
> error when you open an ssh connection.
> 'Reject' also gives a 90 second timeout but a "No route to host"
> error. 'Reject tcp-reset' gives an instant timeout and a "Connection
> refused", which makes sense given the RST.
>
> So I suppose it's just a philosophical difference - either way will
> keep them from opening a port, but do you want to keep them busy or
> just send them packing...

I don't think it matters much.  However, if you are only aiming to 
restrict SSH access but leave everything else open (like my example 
term), a connection attempt to a random port will yield a TCP reset.  
If a connection attempt to the SSH port yields something else (an ICMP 
destination unreachable or simply nothing), an attacker will be able to 
deduce that there most likely is an SSH service present, but that it is 
filtered.  If a connection attempt to a firewalled port yields the same 
result as a connection attempt to a closed port, you've denied the 
attacker that little piece of information.  Not saying that this is an 
effective attack mitigation strategy, but it might, depending on your 
level of paranoia, help you sleep slightly better at night.  :-)

Regards,
-- 
Tore Anderson

More information about the juniper-nsp mailing list