Table of Contents
Advertisement
Web OS 10.0 Application Guide
In this network, the Web servers inside the LAN must be able to transfer mail to any SMTP-
based mail server out on the Internet. At the same time, you want to prevent access to the LAN
from the Internet, except for HTTP.
SMTP traffic uses well-known TCP Port 25. The Web servers will originate TCP sessions to
the SMTP server using TCP destination Port 25, and the SMTP server will acknowledge each
TCP session and data transfer using TCP source Port 25.
Creating a filter with the ACK flag closes one potential security hole. Without the filter, the
switch would permit a TCP SYN connection request to reach any listening TCP destination
port on the Web servers inside the LAN, as long as it originated from TCP source Port 25. The
server would listen to the TCP SYN, allocate buffer space for the connection, and reply to the
connect request. In some SYN attack scenarios, this could cause the server's buffer space to
fill, crashing the server or at least making it unavailable.
A filter with the ACK flag enabled prevents external devices from beginning a TCP connection
(with a TCP SYN) from TCP source Port 25. The switch drops any frames that have the ACK
flag turned off.
The following filters are required:
1.
A filter that allows the Web servers to pass SMTP requests to the Internet.
>> # /cfg/slb/filt 10
>> Filter 10# sip 203.122.186.0
>> Filter 10# smask 255.255.255.0
>> Filter 10# sport any
>> Filter 10# proto tcp
>> Filter 10# dip any
>> Filter 10# dport smtp
>> Filter 10# action allow
>> Filter 10# ena
n
198
Chapter 7: Filtering
(Select a filter for trusted SMTP requests)
(From the Web servers' source IP address)
(For the entire subnet range)
(From any source port)
(For TCP traffic)
(To any destination IP address)
(To well-known destination SMTP port)
(Allow matching traffic to pass)
(Enable the filter)
212777-A, February 2002
Advertisement
Table of Contents
