[ previous ] [ next ] [ threads ]
 From:  Sven Brill <madde at gmx dot net>
 To:  Lewis Edwards <lewis dot edwards at esi dash group dash na dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] stateful / dynamic packet filtering on m0n0wall?
 Date:  Thu, 08 Dec 2005 12:37:08 -0500
Lewis Edwards wrote:

>First, let me thank you for an excellent product and all the work you put
>into maintaining it.
>I have a web server in a DMZ with only port 80 open to the world.  Right
>now, someone can telnet to port 80 and poke around with my Apache
>installation. Given the right person and the wrong installation, this can
>cause a lot of problems.  If m0n0wall had stateful (or dynamic) packet
>filtering then port 80 would only accept HTTP connections and the sysadmin
>could sleep (a little) easier.
I am not sure how much you can do here with stateful packet inspection 
(which ipfw already does). The newer definitions of stateful firewalls 
indeed mention the possibility of the firewall going up to the 
application layer, but I have not seen this "in the wild" yet solely in 
a firewall.

If someone telnets to port 80 or points a browser to your site, it looks 
the same to both the firewall and the web server, a tcp connection to 
port 80. The stateful firewall checks if the packets are valid based on 
prior session initiation. Again, all valid, telnet or browser.

What you want is something that inspects each packet and checks if it is 
a sane http request. I guess the easiest way to do that is putting a 
reverse proxy in front of the web server. All outside requests to port 
80 get examined, and only valid http requests are passed on to the web 

In the spirit of m0n0 (afaik, I just started playing with it a couple of 
weeks ago, but have it running at home with the ovpn5 image ever since), 
this has no place in a firewall, so you will probably be pointed to 
either pfsense, another all-in-one package, or a separate box with squid 
set up as reverse proxy.