%!PS-Adobe-1.0
%%Creator: mycroft:brent (Brent Chapman)
%%Title: stdin
%%CreationDate: Wed Aug  5 12:52:13 1992
%%DocumentFonts: Times-Roman Times-Italic Times-Bold Symbol Times-Roman DIThacks
%%Pages: (atend)
%%EndComments
% Start of pscat.pro -- prolog for troff translator
% Copyright (c) 1985,1987 Adobe Systems Incorporated. All Rights Reserved. 
% GOVERNMENT END USERS: See Notice file in TranScript library directory
% -- probably /usr/lib/ps/Notice
% RCS: $Header: pscat.pro,v 2.2 87/11/17 16:40:32 byron Rel $
save /pscatsave exch def
/$pscat 50 dict def
$pscat begin
/fm [1 0 0 1 0 0] def
/xo 0 def /yo 0 def
/M /moveto load def
/R /show load def
/S {exch currentpoint exch pop moveto show}def
/T {exch currentpoint pop exch moveto show}def
/U {3 1 roll moveto show}def
/siz 0 def
/font 0 def
/Z {/siz exch def SF}def
/F {/font exch def SF}def
/SF{font 0 ne
    {catfonts font 1 sub get fm 0 siz put fm 3 siz neg put 
     fm makefont setfont}if}def
/BP{save/catsv exch def 0 792 translate 72 432 div dup neg scale 
  xo yo translate 0 0 moveto}def
/BPL{save/catsv exch def 72 8.25 mul 792 translate -90 rotate
  72 432 div dup neg scale xo yo translate 0 0 moveto}def
/EP{catsv restore showpage}def
/SetStTime{statusdict /manualfeedtimeout 120 put} def
/SetStatus{statusdict /manualfeed true put
   statusdict /product get (LaserWriter) eq 
   {version (23.0) eq  % Don't redefine EP if printer is not "Classic LW"
     {/EP {catsv restore
	 {statusdict /printerstatus get exec 16#22000000 and 0 eq{exit}if}loop
	 showpage}def}if }if}def
% definitions for PPROC callback functions
% each PPROC is called with the following number on the stack:
% pointsize charcode railmag pswidth pschar x y wid
/$pprocs 50 dict def
/fractm [.65 0 0 .6 0 0] def
% fractions
/PS1{gsave $pprocs begin
    /wid exch def pop pop pop pop pop /ch exch def /size exch def
    /pair $pprocs ch get def /cf currentfont def
    cf fractm makefont setfont
    0 .3 size mul 6 mul 2 copy neg rmoveto pair 0 get show rmoveto
    currentfont cf setfont (\244) show setfont
    pair 1 get show grestore wid .06 div 0 rmoveto end}def
$pprocs begin
8#34 [(1)(4)] def
8#36 [(1)(2)] def
8#46 [(3)(4)] def
end
% DIThacks fonts for some special chars
50 dict dup begin
/FontType 3 def
/FontName /DIThacks def
/FontMatrix [.001 0.0 0.0 .001 0.0 0.0] def
/FontBBox [-220 -280 900 900] def% a lie but ...
/Encoding 256 array def
0 1 255{Encoding exch /.notdef put}for
Encoding
 dup 8#040/space put %space
 dup 8#110/rc put %right ceil
 dup 8#111/lt put %left  top curl
 dup 8#112/bv put %bold vert
 dup 8#113/lk put %left  mid curl
 dup 8#114/lb put %left  bot curl
 dup 8#115/rt put %right top curl
 dup 8#116/rk put %right mid curl
 dup 8#117/rb put %right bot curl
 dup 8#120/rf put %right floor
 dup 8#121/lf put %left  floor
 dup 8#122/lc put %left  ceil
 dup 8#140/sq put %square
 dup 8#141/bx put %box
 dup 8#142/ci put %circle
 dup 8#143/br put %box rule
 dup 8#144/rn put %root extender
 dup 8#145/vr put %vertical rule
 dup 8#146/ob put %outline bullet
 dup 8#147/bu put %bullet
 dup 8#150/ru put %rule
 dup 8#151/ul put %underline
 pop
/DITfd 100 dict def
/BuildChar{0 begin
 /cc exch def /fd exch def
 /charname fd /Encoding get cc get def
 /charwid fd /Metrics get charname get def
 /charproc fd /CharProcs get charname get def
 charwid 0 fd /FontBBox get aload pop setcachedevice
 40 setlinewidth
 newpath 0 0 moveto gsave charproc grestore
 end}def
/BuildChar load 0 DITfd put
%/UniqueID 5 def
/CharProcs 50 dict def
CharProcs begin
/space{}def
/.notdef{}def
/ru{500 0 rls}def
/rn{0 750 moveto 500 0 rls}def
/vr{20 800 moveto 0 -770 rls}def
/bv{20 800 moveto 0 -1000 rls}def
/br{20 770 moveto 0 -1040 rls}def
/ul{0 -250 moveto 500 0 rls}def
/ob{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath stroke}def
/bu{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath fill}def
/sq{80 0 rmoveto currentpoint dround newpath moveto
    640 0 rlineto 0 640 rlineto -640 0 rlineto closepath stroke}def
/bx{80 0 rmoveto currentpoint dround newpath moveto
    640 0 rlineto 0 640 rlineto -640 0 rlineto closepath fill}def
/ci{355 333 rmoveto currentpoint newpath 333 0 360 arc
    50 setlinewidth stroke}def
/lt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 add exch s4 a4p stroke}def
/lb{20 800 moveto 0 -550 rlineto currx -200 2cx s4 add exch s4 a4p stroke}def
/rt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 sub exch s4 a4p stroke}def
/rb{20 800 moveto 0 -500 rlineto currx -200 2cx s4 sub exch s4 a4p stroke}def
/lk{20 800 moveto 20 300 -280 300 s4 arcto pop pop 1000 sub
    currentpoint stroke moveto
    20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def
/rk{20 800 moveto 20 300 320 300 s4 arcto pop pop 1000 sub
    currentpoint stroke moveto
    20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def
/lf{20 800 moveto 0 -1000 rlineto s4 0 rls}def
/rf{20 800 moveto 0 -1000 rlineto s4 neg 0 rls}def
/lc{20 -200 moveto 0 1000 rlineto s4 0 rls}def
/rc{20 -200 moveto 0 1000 rlineto s4 neg 0 rls}def
end
/Metrics 50 dict def Metrics begin
/.notdef 0 def
/space 500 def
/ru 500 def
/br 0 def
/lt 250 def
/lb 250 def
/rt 250 def
/rb 250 def
/lk 250 def
/rk 250 def
/rc 250 def
/lc 250 def
/rf 250 def
/lf 250 def
/bv 250 def
/ob 350 def
/bu 350 def
/ci 750 def
/bx 750 def
/sq 750 def
/rn 500 def
/ul 500 def
/vr 0 def
end
DITfd begin
/s2 500 def /s4 250 def /s3 333 def
/a4p{arcto pop pop pop pop}def
/2cx{2 copy exch}def
/rls{rlineto stroke}def
/currx{currentpoint pop}def
/dround{transform round exch round exch itransform} def
end
end
/DIThacks exch definefont pop
/catfonts [
	/Times-Roman findfont
	/Times-Italic findfont
	/Times-Bold findfont
	/Symbol findfont
	/Times-Roman findfont
	/DIThacks findfont
	] def
%%EndProlog
%%Page: ? 1
BP
3 F
96 Z
798 546(Network)U
1187(\(In\)Security)S
1715(Through)S
2109(IP)S
2237(Packet)S
2547(Filteri)S
2805(ng)S
2 F
72 Z
1502 870(G)U
1 F
1575 726(D.)U
1669(Brent)S
1853(Chapman)S
2 F
1554 870(reat)U
1694(Circle)S
1898(Associates)S
1476 1014(Brent)U
5 F
(@)R
2 F
(GreatCircle.COM)R
1594 1086(+1)U
1702(415)S
1834(962)S
1966(0841)S
2174 1230(t)U
1447 1302(M)U
1510 1230(1057)U
1678(West)S
1842(Dana)S
2026(Stree)S
1507 1302(ountain)U
1751(View,)S
1937(CA)S
2077(94041)S
1 F
66 Z
706 1623(E)U
2 F
1696 1488(ABSTRACT)U
1 F
746 1623(ver-increasing)U
1147(numbers)S
1399(of)S
1479(IP)S
1563(router)S
1745(products)S
1997(are)S
2101(offering)S
2337(packet)S
2532(\256ltering)S
2764(as)S
2843(a)S
2896(tool)S
706 1779(t)U
706 1701(for)U
811(improving)S
1113(network)S
1357(security.)S
1610(Used)S
1774(properly,)S
2042(packet)S
2241(\256ltering)S
2477(is)S
2548(a)S
2604(useful)S
2792(tool)S
2921(for)S
724 1779(he)U
835(security-conscious)S
1374(network)S
1639(administrator,)S
2054(but)S
2186(its)S
2296(effective)S
2573(use)S
2709(requires)S
2969(a)S
2969 1857(e)U
706 1935(p)U
706 1857(thorough)U
971(understanding)S
1371(of)S
1453(its)S
1542(capabilit)S
1767(ies)S
1866(and)S
1987(weaknesses,)S
2338(and)S
2459(of)S
2540(the)S
2646(quirks)S
2837(of)S
2918(th)S
739 1935(articular)U
982(protocols)S
1252(that)S
1375(\256lters)S
1550(are)S
1654(being)S
1824(applied)S
2041(to.)S
2155(This)S
2296(paper)S
2466(examines)S
2738(the)S
2842(utility)S
2980 2013(t)U
706 2091(\256)U
706 2013(of)U
796(IP)S
890(packet)S
1096(\256ltering)S
1339(as)S
1429(a)S
1493(network)S
1744(security)S
1987(measure,)S
2258(brie\257y)S
2465(contrasts)S
2734(IP)S
2827(packe)S
743 2091(ltering)U
947(to)S
1031(alternati)S
1245(ve)S
1339(network)S
1587(security)S
1827(approaches)S
2155(such)S
2308(as)S
2395(applicati)S
2620(on-level)S
2867(gate-)S
706 2247(c)U
706 2169(ways,)U
884(describes)S
1154(what)S
1307(packet)S
1502(\256lters)S
1676(might)S
1853(examine)S
2099(in)S
2174(each)S
2318(packet,)S
2530(and)S
2649(describes)S
2918(the)S
735 2247(haracteristi)U
1026(cs)S
1115(of)S
1204(common)S
1468(applicati)S
1693(on)S
1793(protocols)S
2072(as)S
2161(they)S
2307(relate)S
2485(to)S
2569(packet)S
2773(\256ltering.)S
706 2403(\256)U
706 2325(The)U
837(paper)S
1012(then)S
1154(identi\256es)S
1424(and)S
1548(examines)S
1825(problems)S
2099(common)S
2358(to)S
2438(many)S
2613(current)S
2827(packet)S
743 2403(ltering)U
941(implement)S
1221(ations,)S
1422(shows)S
1615(how)S
1755(these)S
1916(problems)S
2187(can)S
2304(easily)S
2483(undermine)S
2790(the)S
2896(net-)S
2976 2481(-)U
706 2559(t)U
706 2481(work)U
865(administrator's)S
1286(intents)S
1484(and)S
1602(lead)S
1733(to)S
1806(a)S
1857(false)S
2003(sense)S
2168(of)S
2245(security,)S
2492(and)S
2609(proposes)S
2866(solu)S
724 2559(ions)U
878(to)S
973(these)S
1152(problems.)S
1480(Finally,)S
1727(the)S
1851(paper)S
2041(concludes)S
2348(that)S
2489(packet)S
2703(\256ltering)S
2954(is)S
706 2715(i)U
706 2637(currently)U
971(a)S
1028(viable)S
1216(network)S
1460(security)S
1696(mechanism,)S
2040(but)S
2152(that)S
2278(its)S
2368(utility)S
2552(could)S
2726(be)S
2816(greatly)S
724 2715(mproved)U
980(with)S
1119(the)S
1221(extensions)S
1521(proposed)S
1785(in)S
1858(the)S
1960(paper.)S
3 F
556 2871(1.)U
650(Introduction)S
1 F
706 2970(This)U
851(paper)S
1025(considers)S
1302(packet)S
1501(\256ltering)S
1737(as)S
1820(a)S
1876(mechanism)S
2202(for)S
2306(implement)S
2586(ing)S
2697(network)S
2940(security)S
3115 3048(o)U
556 3126(i)U
556 3048(policies.)U
826(The)S
954(consideration)S
1334(is)S
1404(from)S
1558(the)S
1664(point)S
1825(of)S
1906(view)S
2060(of)S
2141(a)S
2196(site)S
2313(or)S
2394(network)S
2636(administrator)S
3012(\(wh)S
574 3126(s)U
631(interested)S
917(in)S
999(providing)S
1286(the)S
1397(best)S
1534(possible)S
1781(service)S
1998(to)S
2080(their)S
2230(users)S
2396(while)S
2572(maintaini)S
2819(ng)S
2915(adequate)S
556 3282(e)U
556 3204(security)U
787(of)S
865(their)S
1008(site)S
1122(or)S
1200(network,)S
1456(and)S
1574(who)S
1711(often)S
1869(has)S
1980(an)S
5 F
2065(")S
1 F
(us)R
2175(versus)S
2367(them)S
5 F
(")R
1 F
2549(attitude)S
2768(with)S
2907(regard)S
3097(to)S
585 3282(xternal)U
792(organizations\),)S
1210(which)S
1395(is)S
1463(not)S
1571(necessarily)S
1887(the)S
1991(same)S
2150(point)S
2309(of)S
2388(view)S
2540(that)S
2662(a)S
2715(service)S
2925(provider)S
3126 3360(\))U
556 3438(m)U
556 3360(or)U
643(router)S
832(vendor)S
1046(\(who)S
1213(is)S
1288(interested)S
1574(in)S
1656(providing)S
1943(network)S
2190(services)S
2433(or)S
2519(products)S
2777(to)S
2859(customers)S
607 3438(ight)U
742(have.)S
938(An)S
1052(assumption)S
1385(made)S
1560(throughout)S
1882(is)S
1959(that)S
2090(a)S
2152(site)S
2276(administrator)S
2659(is)S
2736(generally)S
3013(more)S
556 3594(o)U
556 3516(interested)U
835(in)S
910(keeping)S
1142(outsiders)S
1404(out)S
1512(than)S
1649(in)S
1723(trying)S
1903(to)S
1977(police)S
2160(insiders,)S
2405(and)S
2523(that)S
2644(the)S
2747(goal)S
2883(is)S
2950(to)S
3024(keep)S
589 3594(utsiders)U
823(from)S
980(breaking)S
1239(in)S
1319(and)S
1443(insiders)S
1677(from)S
1834(accidenta)S
2081(lly)S
2179(exposing)S
2446(valuable)S
2697(data)S
2835(or)S
2919(services,)S
556 3750(p)U
556 3672(not)U
668(to)S
747(prevent)S
972(insiders)S
1205(from)S
1361(intentional)S
1641(ly)S
1720(and)S
1843(maliciously)S
2177(subverting)S
2483(security)S
2719(measures.)S
3031(This)S
589 3750(aper)U
730(does)S
879(not)S
991(consider)S
1242(military-gra)S
1555(de)S
5 F
1645(")S
1 F
(secure)R
1869(IP)S
5 F
(")R
1 F
1984(implement)S
2264(ations)S
2448(\(those)S
2636(that)S
2761(implement)S
3068(the)S
3126 3828(-)U
556 3906(i)U
5 F
556 3828(")U
1 F
(IP)R
670(security)S
905(options)S
5 F
(")R
1 F
1154(that)S
1279(may)S
1419(be)S
1508(speci\256ed)S
1769(in)S
1847(IP)S
1933(packet)S
2131(headers\))S
2380(and)S
2501(related)S
2705(issues;)S
2907(it)S
2969(is)S
3039(lim)S
574 3906(ted)U
676(to)S
749(what)S
899(is)S
965(commonly)S
1268(available)S
1526(for)S
1625(sale)S
1749(to)S
1822(the)S
1924(general)S
2139(public.)S
3115 4005(k)U
556 4083(s)U
706 4005(Packet)U
913(\256ltering)S
1153(may)S
1298(be)S
1392(used)S
1545(as)S
1631(a)S
1691(mechanism)S
2021(to)S
2103(implement)S
2414(a)S
2474(wide)S
2633(variety)S
2846(of)S
2932(networ)S
582 4083(ecurity)U
802(policies.)S
1082(The)S
1221(primary)S
1466(goal)S
1616(of)S
1708(these)S
1880(policies)S
2121(is)S
2202(generally)S
2483(to)S
2571(prevent)S
2805(unauthorized)S
48 Z
556 4227(P)U
6 F
72 Z
556 4167(hhhhhhhhhhhh)U
1 F
48 Z
583 4227(ublished)U
761(in)S
2 F
814(Proceedings)S
1069(of)S
1122(the)S
1196(Third)S
1319(USENIX)S
1500(UNIX)S
1628(Security)S
1800(Symposium)S
1 F
(;)R
2048(Baltimore,)S
2266(MD;)S
2373(September,)S
2605(1992.)S
EP
%%Page: ? 2
BP
1 F
66 Z
3115 486(d)U
556 564(a)U
556 486(network)U
802(access)S
1000(without)S
1230(hindering)S
1511(authorized)S
1817(network)S
2062(access;)S
2277(the)S
2386(de\256nitions)S
2693(of)S
5 F
2777(")S
1 F
(unauthorize)R
585 564(ccess)U
5 F
(")R
1 F
782(and)S
5 F
907(")S
1 F
(authorized)R
1242(access)S
5 F
(")R
1 F
1467(vary)S
1613(widely)S
1821(from)S
1978(one)S
2102(organization)S
2459(to)S
2539(another.)S
2804(A)S
2881(secondary)S
3115 642(d)U
556 720(a)U
556 642(goal)U
694(is)S
763(often)S
923(that)S
1046(the)S
1151(mechanisms)S
1501(be)S
1588(transparent)S
1905(in)S
1981(terms)S
2152(of)S
2232(performance,)S
2606(user)S
2741(awareness,)S
3053(an)S
585 720(pplication)U
885(awareness)S
1194(of)S
1287(the)S
1405(security)S
1651(measures.)S
1973(Another)S
2226(secondary)S
2530(goal)S
2680(is)S
2761(often)S
2933(that)S
3068(the)S
3119 798(e)U
556 876(p)U
556 798(mechanisms)U
909(used)S
1058(be)S
1148(simple)S
1351(to)S
1430(con\256gure)S
1707(and)S
1830(maintain,)S
2104(thus)S
2242(increasing)S
2540(the)S
2648(likelihood)S
2942(that)S
3068(th)S
589 876(olicy)U
745(will)S
872(be)S
959(correctly)S
1217(and)S
1337(completel)S
1595(y)S
1653(implement)S
1933(ed;)S
2038(in)S
2114(the)S
2219(words)S
2405(of)S
2484(Bill)S
2606(Cheswick)S
2890(of)S
2969(AT&T)S
3119 954(a)U
556 1032(g)U
556 954(Bell)U
694(Laboratories,)S
5 F
1072(")S
1 F
(Complex)R
1370(security)S
1607(isn't)S
5 F
(")R
1 F
(.)R
1820(Packet)S
2023(\256ltering)S
2259(is)S
2331(a)S
2388(mechanism)S
2715(which)S
2904(can,)S
3040(to)S
589 1032(reater)U
766(or)S
849(lesser)S
1027(extent,)S
1232(ful\256ll)S
1406(all)S
1499(these)S
1662(goals,)S
1846(but)S
1958(only)S
2103(through)S
2336(thorough)S
2602(understanding)S
3003(of)S
3086(its)S
556 1110(strengths)U
816(and)S
933(weaknesses)S
1263(and)S
1380(careful)S
1584(applicati)S
1809(on)S
1897(of)S
1974(its)S
2058(capabilit)S
2283(ies.)S
706 1209(Several)U
928(factors)S
1132(complicat)S
1390(e)S
1444(implement)S
1724(ation)S
1880(of)S
1960(these)S
2120(policies)S
2349(using)S
2517(packet)S
2713(\256ltering,)S
2962(includ-)S
3130 1287(l)U
556 1365(g)U
556 1287(ing)U
673(asymmetric)S
1012(access)S
1213(requirements,)S
1606(differing)S
1868(requirements)S
2243(for)S
2352(various)S
2578(internal)S
2810(and)S
2937(externa)S
589 1365(roups)U
767(of)S
853(machines,)S
1149(and)S
1275(the)S
1386(varying)S
1618(characteri)S
1876(stics)S
2024(of)S
2110(the)S
2221(particular)S
2502(protocols,)S
2794(services,)S
3053(and)S
3126 1443(-)U
556 1521(m)U
556 1443(implement)U
836(ations)S
1024(of)S
1110(these)S
1276(protocols)S
1552(and)S
1678(services)S
1921(that)S
2050(the)S
2161(\256lters)S
2342(are)S
2452(to)S
2533(be)S
2625(applied)S
2848(to.)S
2968(Asym)S
607 1521(etric)U
750(access)S
945(requirements)S
1315(usually)S
1531(arise)S
1681(when)S
1850(an)S
1938(organization)S
2292(desires)S
2501(that)S
2625(its)S
2713(internal)S
2939(systems)S
556 1677(o)U
556 1599(have)U
709(more)S
873(access)S
1070(to)S
1150(external)S
1390(systems)S
1628(than)S
1770(vice)S
1908(versa.)S
2115(Differing)S
2389(requirements)S
2761(arise)S
2914(when)S
3086(an)S
589 1677(rganization)U
918(desires)S
1135(that)S
1267(some)S
1440(groups)S
1654(of)S
1742(machines)S
2023(have)S
2180(different)S
2439(network)S
2688(access)S
2889(privileges)S
3130 1755(t)U
556 1833(i)U
556 1755(than)U
695(other)S
856(groups)S
1062(of)S
1143(machines)S
1417(\(for)S
1542(instance,)S
1800(the)S
1906(organization)S
2260(may)S
2399(feel)S
2523(that)S
2646(a)S
2700(particular)S
2976(subne)S
574 1833(s)U
626(more)S
787(secure)S
981(than)S
1120(standard,)S
1386(and)S
1507(thus)S
1642(can)S
1758(safely)S
1940(take)S
2074(advantage)S
2365(of)S
2445(expanded)S
2722(network)S
2963(access,)S
556 1989(e)U
556 1911(or)U
642(they)S
786(may)S
929(feel)S
1057(that)S
1185(a)S
1244(particular)S
1525(subnet)S
1727(is)S
1801(especially)S
2093(valuable,)S
2362(and)S
2487(thus)S
2627(its)S
2719(exposure)S
2987(to)S
3068(the)S
585 1989(xternal)U
795(network)S
1039(should)S
1243(be)S
1333(as)S
1416(limited)S
1629(as)S
1712(possible\).)S
2017(Alternativel)S
2330(y,)S
2407(an)S
2496(organization)S
2851(may)S
2991(desire)S
3119 2067(e)U
556 2145(r)U
556 2067(to)U
634(allow)S
807(more)S
969(or)S
1050(less)S
1175(network)S
1417(access)S
1611(to)S
1688(some)S
1853(speci\256c)S
2080(group)S
2260(of)S
2341(external)S
2578(machines)S
2852(than)S
2991(to)S
3068(th)S
578 2145(est)U
687(of)S
777(the)S
892(external)S
1138(world)S
1327(\(for)S
1461(instance,)S
1728(a)S
1792(company)S
2068(might)S
2256(want)S
2419(to)S
2505(extend)S
2715(greater)S
2932(network)S
3122 2223(s)U
556 2301(t)U
556 2223(access)U
754(than)S
896(usual)S
1064(to)S
1144(a)S
1202(key)S
1326(client)S
1500(with)S
1646(whom)S
1840(they)S
1982(are)S
2091(collaborati)S
2371(ng,)S
2483(and)S
2607(less)S
2735(network)S
2980(acces)S
574 2301(han)U
696(usual)S
862(to)S
940(a)S
996(local)S
1150(university)S
1440(which)S
1628(is)S
1699(known)S
1906(to)S
1984(be)S
2073(the)S
2180(source)S
2379(of)S
2460(repeated)S
2708(cracker)S
2927(attacks\).)S
556 2457(h)U
556 2379(The)U
693(characteri)S
951(stics)S
1103(of)S
1193(particular)S
1479(protocols,)S
1776(services,)S
2040(and)S
2170(implement)S
2450(ations)S
2642(also)S
2783(greatly)S
2999(affect)S
589 2457(ow)U
700(effective)S
959(\256ltering)S
1197(can)S
1318(be;)S
1428(this)S
1552(particular)S
1832(issue)S
1993(is)S
2066(discussed)S
2348(in)S
2428(detail)S
2602(below,)S
2809(in)S
2889(Section)S
3115(3)S
556 2535(and)U
673(Appendix)S
955(A.)S
706 2634(Common)U
994(alternati)S
1208(ves)S
1339(to)S
1433(packet)S
1647(\256ltering)S
1898(for)S
2018(network)S
2277(security)S
2528(include)S
2763(securing)S
3028(each)S
3115 2712(n)U
556 2790(a)U
556 2712(machine)U
803(with)S
945(network)S
1186(access)S
1379(and)S
1499(using)S
1667(applicati)S
1892(on)S
1983(gateways.)S
2291(Allowing)S
2564(network)S
2804(access)S
2996(on)S
3086(a)S
585 2790(ll-or-nothing)U
956(basis)S
1122(\(a)S
1207(very)S
1358(coarse)S
1560(form)S
1722(of)S
1811(packet)S
2016(\256ltering\))S
2280(then)S
2427(attempti)S
2641(ng)S
2741(to)S
2826(secure)S
3028(each)S
3119 2868(e)U
556 2946(a)U
556 2868(machine)U
801(that)S
922(has)S
1033(network)S
1272(access)S
1462(is)S
1528(generally)S
1794(impractic)S
2041(al;)S
2128(few)S
2249(sites)S
2388(have)S
2534(the)S
2636(resources)S
2907(to)S
2980(secur)S
585 2946(nd)U
676(then)S
814(monitor)S
1047(every)S
1218(machine)S
1465(that)S
1588(needs)S
1763(even)S
1911(occasional)S
2212(network)S
2452(access.)S
2683(Application)S
3017(gate-)S
556 3102(s)U
556 3024(ways,)U
734(such)S
880(as)S
960(those)S
1124(used)S
1270(by)S
1361(AT&T)S
1565([Ches90],)S
1849(Digital)S
2056(Equipment)S
2369(Corporation)S
2712([Ranum92],)S
3053(and)S
582 3102(everal)U
766(other)S
925(organizations,)S
1320(are)S
1424(also)S
1553(often)S
1711(impractic)S
1958(al)S
2028(because)S
2259(they)S
2395(require)S
2604(internal)S
2827(hosts)S
2986(to)S
3060(run)S
3126 3180(-)U
556 3258(t)U
556 3180(modi\256ed)U
817(\(and)S
961(often)S
1122(custom-written)S
1546(or)S
1627(otherwise)S
1909(not)S
2019(commonly)S
2326(available)S
2562(\))S
2610(versions)S
2856(of)S
2937(applica)S
574 3258(ions)U
711(\(such)S
881(as)S
5 F
963(")S
1 F
(ftp)R
5 F
(")R
1 F
1119(and)S
5 F
1241(")S
1 F
(telnet)R
5 F
(")R
1 F
(\))R
1491(in)S
1569(order)S
1735(to)S
1813(reach)S
1982(external)S
2220(hosts.)S
2422(If)S
2493(a)S
2548(suitably)S
2782(modi\256ed)S
3042(ver-)S
3126 3336(r)U
556 3414(a)U
556 3336(sion)U
691(of)S
771(an)S
858(applicati)S
1083(on)S
1174(is)S
1243(not)S
1352(available)S
1613(for)S
1715(a)S
1769(given)S
1939(internal)S
2163(host)S
2297(\(a)S
2372(modi\256ed)S
2630(TELNET)S
2902(client)S
3071(fo)S
617 3414(personal)U
871(computer,)S
1167(for)S
1275(instance\),)S
1560(that)S
1689(internal)S
1920(host's)S
2109(users)S
2276(are)S
2387(simply)S
2597(out)S
2712(of)S
2798(luck)S
2942(and)S
3068(are)S
3 F
556 3648(2)U
1 F
556 3492(unable)U
753(to)S
826(reach)S
990(the)S
1092(past)S
1220(the)S
1322(applicati)S
1547(on)S
1635(gateway.)S
3 F
589 3648(.)U
650(How)S
804(Packet)S
1016(Filtering)S
1282(Works)S
1884 3804(n)U
556(2.1.)S
700(What)S
880(packet)S
1089(\256lters)S
1272(base)S
1419(their)S
1576(decisions)S
1851(o)S
1 F
706 3903(Current)U
939(IP)S
1030(packet)S
1233(\256ltering)S
1473(implement)S
1753(ations)S
1942(all)S
2039(operate)S
2264(in)S
2347(the)S
2459(same)S
2626(basic)S
2792(fashion;)S
3035(they)S
3119 3981(e)U
556 4059(w)U
556 3981(parse)U
731(the)S
847(headers)S
1084(of)S
1175(a)S
1240(packet)S
1447(and)S
1578(then)S
1727(apply)S
1909(rules)S
2073(from)S
2237(a)S
2301(simple)S
2511(rule)S
2648(base)S
2800(to)S
2886(determin)S
604 4059(hether)U
790(to)S
863(route)S
1020(or)S
1097(drop\262)S
1273(the)S
1375(packet.)S
1607(Generally,)S
1905(the)S
2007(header)S
2204(\256elds)S
2369(that)S
2489(are)S
2591(available)S
2849(to)S
2922(the)S
3024(\256lter)S
48 Z
556 4188(\262)U
6 F
556 4119(hhhhhhhhhhhhhhhhhh)U
5 F
676 4188(")U
1 F
(Permit)R
5 F
(")R
1 F
860(and)S
5 F
946(")S
1 F
(deny)R
5 F
(")R
1 F
1096(are)S
1171(used)S
1276(synonymously)S
1573(with)S
5 F
1675(")S
1 F
(route)R
5 F
(")R
1 F
1830(and)S
5 F
1916(")S
1 F
(drop)R
5 F
(")R
1 F
2060(throughout)S
2286(this)S
2371(paper.)S
2521(If)S
2569(a)S
2606(router)S
2736(decides)S
2895(to)S
2916 4248(-)U
676 4308(c)U
5 F
676 4248(")U
1 F
(permit)R
5 F
(")R
1 F
860(or)S
5 F
920(")S
1 F
(route)R
5 F
(")R
1 F
1077(a)S
1117(packet,)S
1272(it)S
1317(is)S
1368(passed)S
1515(through)S
1683(to)S
1739(its)S
1803(destination)S
2031(as)S
2090(if)S
2138(\256ltering)S
2308(never)S
2433(occurred.)S
2647(If)S
2698(a)S
2738(router)S
2871(de)S
697 4308(ides)U
793(to)S
5 F
849(")S
1 F
(deny)R
5 F
(")R
1 F
1001(or)S
5 F
1060(")S
1 F
(drop)R
5 F
(")R
1 F
1206(a)S
1245(packet,)S
1399(the)S
1475(packet)S
1617(is)S
1667(simply)S
1815(discarded,)S
2028(as)S
2086(if)S
2133(it)S
2177(never)S
2301(existed;)S
2467(depending)S
2684(on)S
2750(the)S
2826(\256lter-)S
66 Z
1791 4548(-)U
1835(2)S
1890(-)S
EP
%%Page: ? 3
BP
1 F
66 Z
556 486(a)U
(re)R
667(packet)S
869(type)S
1013(\(TCP,)S
1204(UDP,)S
1385(etc.\),)S
1547(source)S
1749(IP)S
1838(address,)S
2083(destination)S
2401(IP)S
2490(address,)S
2735(and)S
2860(destination)S
3119 564(e)U
556 642(\256)U
556 564(TCP/UDP)U
856(port.)S
1007(For)S
1127(some)S
1294(reason,)S
1511(the)S
1619(source)S
1819(TCP/UDP)S
2119(port)S
2253(is)S
2325(often)S
2 F
2488(not)S
1 F
2600(one)S
2723(of)S
2805(the)S
2912(availabl)S
593 642(elds;)U
739(this)S
856(is)S
922(a)S
973(signi\256cant)S
1269(de\256ciency)S
1561(discussed)S
1836(in)S
1909(detail)S
2076(in)S
2149(Section)S
2368(4.2.)S
3122 741(s)U
556 819(a)U
706 741(In)U
792(addition)S
1038(to)S
1120(the)S
1231(information)S
1572(contained)S
1858(in)S
1939(the)S
2049(headers,)S
2297(many)S
2473(\256ltering)S
2711(implement)S
2991(ation)S
585 819(lso)U
687(allow)S
858(the)S
963(administrator)S
1338(to)S
1414(specify)S
1629(rules)S
1782(based)S
1957(on)S
2048(which)S
2234(router)S
2416(interface)S
2670(the)S
2775(packet)S
2970(is)S
3038(des-)S
3131 897(.)U
556 975(B)U
556 897(tined)U
719(to)S
802(go)S
900(out)S
1016(on,)S
1131(and)S
1258(some)S
1429(allow)S
1607(rules)S
1767(based)S
1949(on)S
2047(which)S
2240(interface)S
2501(the)S
2612(packet)S
2814(came)S
2983(in)S
3065(on)S
600 975(eing)U
741(able)S
878(to)S
957(specify)S
1175(\256lters)S
1353(on)S
1447(both)S
1592(inbound)S
1836(and)S
1958(outbound\262)S
2267(interfaces)S
2549(allows)S
2748(you)S
2874(signi\256cant)S
556 1131(s)U
556 1053(control)U
772(over)S
919(where)S
1110(the)S
1219(router)S
1405(appears)S
1635(in)S
1715(the)S
1824(\256ltering)S
2061(scheme)S
2287(\(whether)S
2550(it)S
2615(is)S
5 F
2688(")S
1 F
(inside)R
5 F
(")R
1 F
2930(or)S
5 F
3014(")S
1 F
(out-)R
582 1131(ide)U
5 F
(")R
1 F
715(your)S
860(packet)S
1055(\256ltering)S
5 F
1287(")S
1 F
(fence)R
5 F
(")R
1 F
(\),)R
1548(and)S
1667(is)S
1735(very)S
1876(convenient)S
2188(\(if)S
2274(not)S
2382(essential\))S
2654(for)S
2755(useful)S
2940(\256ltering)S
3115 1209(d)U
556 1287(\256)U
556 1209(on)U
654(routers)S
869(with)S
1018(more)S
1185(than)S
1329(two)S
1459(interfaces.)S
1784(If)S
1859(certain)S
2068(packets)S
2296(can)S
2418(be)S
2511(dropped)S
2758(using)S
2932(inboun)S
593 1287(lters)U
730(on)S
820(a)S
872(given)S
1041(interface,)S
1310(those)S
1472(packets)S
1692(don't)S
1854(have)S
2001(to)S
2075(be)S
2160(mentioned)S
2460(in)S
2534(the)S
2637(outbound)S
2909(\256lters)S
3082(on)S
3115 1365(n)U
556 1443(a)U
556 1365(all)U
648(the)S
755(other)S
917(interfaces;)S
1217(this)S
1339(simpli\256es)S
1621(the)S
1727(\256ltering)S
1961(speci\256cations.)S
2384(Further,)S
2621(some)S
2786(\256lters)S
2962(that)S
3086(a)S
585 1443(dministrator)U
943(would)S
1145(like)S
1280(to)S
1368(be)S
1467(able)S
1613(to)S
1701(implement)S
2018(require)S
2241(knowledge)S
2566(of)S
2657(which)S
2854(interface)S
3119(a)S
556 1599(i)U
556 1521(packet)U
766(came)S
943(in)S
1033(on;)S
1156(for)S
1272(instance,)S
1543(the)S
1662(administrator)S
2051(may)S
2202(wish)S
2365(to)S
2454(drop)S
2613(all)S
2716(packets)S
2951(coming)S
574 1599(nbound)U
801(from)S
958(the)S
1067(external)S
1307(interface)S
1565(that)S
1692(claim)S
1866(to)S
1946(be)S
2037(from)S
2194(an)S
2285(internal)S
2514(host,)S
2670(in)S
2750(order)S
2918(to)S
2998(guard)S
556 1677(against)U
764(attacks)S
968(from)S
1118(the)S
1220(outside)S
1432(world)S
1608(that)S
1728(use)S
1838(faked)S
2006(internal)S
2228(source)S
2422(addresses.)S
706 1776(Some)U
884(routers)S
1095(with)S
1240(very)S
1385(rudimentary)S
1733(packet)S
1931(\256ltering)S
2166(capabilit)S
2391(ies)S
2491(don't)S
2657(parse)S
2823(the)S
2930(headers,)S
556 1932(t)U
556 1854(but)U
667(instead)S
880(require)S
1093(the)S
1200(administrator)S
1577(to)S
1655(specify)S
1872(byte)S
2012(ranges)S
2210(within)S
2404(the)S
2510(header)S
2711(to)S
2788(examine,)S
3053(and)S
574 1932(he)U
658(patterns)S
888(to)S
961(look)S
1100(for)S
1199(in)S
1272(those)S
1433(ranges.)S
1666(This)S
1805(is)S
1871(almost)S
2068(useless,)S
2294(because)S
2524(it)S
2582(requires)S
2816(the)S
2918(adminis-)S
556 2088(u)U
556 2010(trator)U
733(to)S
819(have)S
978(a)S
1041(very)S
1192(detailed)S
1433(understanding)S
1840(of)S
1929(the)S
2043(structure)S
2307(of)S
2396(an)S
2492(IP)S
2585(packet.)S
2829(It)S
2903(is)S
2981(totally)S
589 2088(nworkable)U
890(for)S
990(packets)S
1210(using)S
1376(IP)S
1458(option)S
1649(\256elds)S
1815(within)S
2006(the)S
2109(IP)S
2191(header,)S
2406(which)S
2590(cause)S
2758(the)S
2860(location)S
3093(of)S
556 2244(d)U
556 2166(the)U
667(beginning)S
961(of)S
1046(the)S
1156(higher-level)S
1503(TCP)S
1654(or)S
1739(UDP)S
1902(headers)S
2133(to)S
2214(vary;)S
2379(this)S
2504(variation)S
2767(makes)S
2965(it)S
3031(very)S
589 2244(if\256cult)U
786(for)S
885(the)S
987(administrator)S
1359(to)S
1432(\256nd)S
1557(and)S
1674(examine)S
1918(the)S
2020(TCP)S
2163(or)S
2240(UDP)S
2395(port)S
2523(information.)S
3 F
556 2400(2.2.)U
700(How)S
854(packet)S
1063(\256ltering)S
1308(rules)S
1469(are)S
1582(speci\256ed)S
1 F
706 2499(Generally,)U
1012(the)S
1122(\256ltering)S
1360(rules)S
1518(are)S
1628(expressed)S
1917(as)S
2001(a)S
2059(table)S
2215(of)S
2299(conditions)S
2602(and)S
2726(actions)S
2941(that)S
3068(are)S
3126 2577(-)U
556 2655(u)U
556 2577(applied)U
772(in)S
846(a)S
898(certain)S
1098(order)S
1259(until)S
1401(a)S
1452(decision)S
1693(to)S
1766(route)S
1923(or)S
2000(drop)S
2143(the)S
2245(packet)S
2438(is)S
2504(reached.)S
2747(When)S
2926(a)S
2977(partic)S
589 2655(lar)U
681(packet)S
875(meets)S
1051(all)S
1139(the)S
1242(conditions)S
1539(speci\256ed)S
1795(in)S
1868(a)S
1919(given)S
2087(row)S
2212(of)S
2289(the)S
2391(table,)S
2557(the)S
2659(action)S
2841(speci\256ed)S
3097(in)S
3122 2733(s)U
556 2811([)U
556 2733(that)U
678(row)S
805(\(whether)S
1063(to)S
1138(route)S
1297(or)S
1376(drop)S
1521(the)S
1625(packet\))S
1842(is)S
1910(carried)S
2116(out;)S
2242(in)S
2317(some)S
2480(\256ltering)S
2711(implement)S
2991(ation)S
578 2811(Mogul89],)U
884(the)S
989(action)S
1174(can)S
1290(also)S
1421(indicate)S
1653(whether)S
1890(or)S
1970(not)S
2079(to)S
2155(notify)S
2337(the)S
2442(sender)S
2639(that)S
2761(the)S
2865(packet)S
3060(has)S
556 2967(t)U
556 2889(been)U
704(dropped)S
944(\(through)S
1195(an)S
1281(ICMP)S
1466(message\),)S
1751(and)S
1869(whether)S
2104(or)S
2182(not)S
2289(to)S
2363(log)S
2470(the)S
2573(packet)S
2767(and)S
2885(the)S
2988(action)S
574 2967(aken)U
723(on)S
814(it.)S
914(Some)S
1089(systems)S
1323(apply)S
1494(the)S
1599(rules)S
1752(in)S
1828(the)S
1933(sequence)S
2199(speci\256ed)S
2458(by)S
2549(the)S
2654(administrator)S
3028(until)S
556 3123(t)U
556 3045(they)U
698(\256nd)S
830(a)S
888(rule)S
1019(that)S
1146(applies)S
1361([Mogul89][Cisco90],)S
1953(which)S
2143(determines)S
2460(whether)S
2701(to)S
2781(drop)S
2930(or)S
3013(route)S
574 3123(he)U
666(packet.)S
906(Others)S
1112(enforce)S
1339(a)S
1398(particular)S
1679(order)S
1848(of)S
1933(rule)S
2065(applicati)S
2290(on)S
2386(based)S
2566(on)S
2662(the)S
2772(criteria)S
2987(in)S
3068(the)S
3119 3201(e)U
556 3279(s)U
556 3201(rules,)U
729(such)S
878(as)S
961(source)S
1161(and)S
1284(destination)S
1600(address,)S
1843(regardless)S
2137(of)S
2219(the)S
2326(order)S
2492(in)S
2570(which)S
2758(the)S
2865(rules)S
3020(wer)S
582 3279(peci\256ed)U
819(by)S
914(the)S
1023(administrator.)S
1441(Some,)S
1637(for)S
1743(instance,)S
2004(apply)S
2179(\256ltering)S
2416(rules)S
2573(in)S
2653(the)S
2762(same)S
2926(order)S
3093(as)S
6 F
48 Z
556 3339(hhhhhhhhhhhhhhhhhh)U
1 F
676 3399(ing)U
754(implement)S
957(ation)S
1069(\(and)S
1171(sometimes)S
1392(on)S
1457(the)S
1532(\256ltering)S
1700(speci\256cation\),)S
1986(the)S
2061(router)S
2192(might)S
2320(send)S
2425(an)S
2487(ICMP)S
2621(message)S
2799(\(usual-)S
676 3519(t)U
676 3459(ly)U
5 F
731(")S
1 F
(host)R
849(unreachable)S
5 F
(")R
1 F
(\))R
1133(back)S
1240(to)S
1294(the)S
1369(source)S
1511(of)S
1568(a)S
1606(packet)S
1747(that)S
1835(is)S
1884(dropped,)S
2070(or)S
2127(it)S
2170(might)S
2298(simply)S
2445(pretend)S
2605(it)S
2648(never)S
2771(received)S
689 3519(he)U
750(packet.)S
556 3588(\262)U
676(Throughout)S
923(this)S
1013(paper,)S
1152(the)S
1231(terms)S
5 F
1358(")S
1 F
(inbound)R
5 F
(")R
1 F
1576(and)S
5 F
1666(")S
1 F
(outbound)R
5 F
(")R
1 F
1908(are)S
1987(usually)S
2146(used)S
2255(to)S
2313(refer)S
2424(to)S
2481(connections)S
2729(or)S
2789(packets)S
676 3708(p)U
676 3648(from)U
791(the)S
871(point)S
991(of)S
1053(view)S
1168(of)S
1230(the)S
1310(protected)S
1509(network)S
1688(as)S
1750(a)S
1793(whole,)S
1944(and)S
2035(sometimes)S
2260(used)S
2369(to)S
2427(refer)S
2538(to)S
2596(packets)S
2760(from)S
2874(the)S
700 3708(oint)U
795(of)S
856(view)S
970(of)S
1031(the)S
1109(\256ltering)S
1280(router)S
1414(\(which)S
1567(is)S
1619(at)S
1673(the)S
1751(edge)S
1861(of)S
1921(the)S
1999(internal)S
2164(network,)S
2353(between)S
2532(the)S
2610(internal)S
2775(network)S
2911 3768(e)U
5 F
676 3828(")U
1 F
676 3768(and)U
764(the)S
841(external)S
1013(world\),)S
1171(or)S
1229(to)S
1284(the)S
1360(router)S
1492(interfaces)S
1695(those)S
1814(packets)S
1975(will)S
2067(pass)S
2168(through.)S
2363(A)S
2416(packet)S
2558(might)S
2687(appear)S
2832(to)S
2887(b)S
696 3828(inbound)U
5 F
(")R
1 F
892(to)S
948(the)S
1025(\256ltering)S
1195(router)S
1328(on)S
1395(its)S
1459(way)S
1557(to)S
1612(the)S
1688(external)S
1859(world,)S
2001(but)S
2080(that)S
2169(packet)S
2311(is)S
5 F
2361(")S
1 F
(outbound)R
5 F
(")R
1 F
2600(from)S
2711(the)S
2787(internal)S
676 3948(s)U
676 3888(network)U
850(as)S
907(a)S
945(whole.)S
1107(An)S
5 F
1183(")S
1 F
(outbound)R
1401(connection)S
5 F
(")R
1 F
1647(is)S
1695(a)S
1732(connection)S
1957(initiate)S
2088(d)S
2128(from)S
2237(a)S
2274(client)S
2395(on)S
2459(an)S
2520(internal)S
2681(machine)S
2858(to)S
2911(a)S
695 3948(erver)U
812(on)S
879(an)S
943(external)S
1115(machine;)S
1308(note)S
1409(that)S
1499(while)S
1624(the)S
1701(connection)S
1929(as)S
1988(a)S
2028(whole)S
2164(is)S
2215(outbound,)S
2427(it)S
2471(includes)S
2648(both)S
2751(outbound)S
2916 4008(r)U
676 4068(b)U
676 4008(packets)U
838(\(those)S
973(from)S
1084(the)S
1160(internal)S
1323(client)S
1446(to)S
1501(the)S
1577(external)S
1748(server\))S
1899(and)S
1986(inbound)S
2161(packets)S
2322(\(those)S
2457(from)S
2568(the)S
2644(external)S
2815(serve)S
700 4068(ack)U
784(to)S
839(the)S
915(internal)S
1078(client\).)S
1229(Similarly,)S
1436(an)S
5 F
1499(")S
1 F
(inbound)R
1693(connection)S
5 F
(")R
1 F
1939(is)S
1988(a)S
2026(connection)S
2252(initiate)S
2383(d)S
2424(from)S
2534(a)S
2572(client)S
2694(on)S
2759(an)S
2821(exter-)S
2916 4128(-)U
676 4188(i)U
676 4128(nal)U
751(machine)S
929(to)S
983(a)S
1021(server)S
1155(on)S
1220(an)S
1282(internal)S
1444(machine.)S
1650(The)S
5 F
1740(")S
1 F
(inbound)R
1933(interface)S
5 F
(")R
1 F
2135(for)S
2207(a)S
2244(packet)S
2384(is)S
2432(the)S
2506(interface)S
2688(on)S
2752(the)S
2826(\256lter)S
689 4188(ng)U
755(router)S
887(that)S
976(the)S
1052(packet)S
1194(appeared)S
1384(on,)S
1462(while)S
1585(the)S
5 F
1660(")S
1 F
(outbound)R
1878(interface)S
5 F
(")R
1 F
2081(is)S
2130(the)S
2205(interface)S
2388(the)S
2463(packet)S
2604(will)S
2695(go)S
2760(out)S
2838(on)S
2903(if)S
676 4248(it)U
718(isn't)S
819(denied)S
962(by)S
1026(the)S
1100(applicati)S
1263(on)S
1327(of)S
1383(the)S
1457(\256ltering)S
1624(rules.)S
66 Z
1791 4548(-)U
1835(3)S
1890(-)S
EP
%%Page: ? 4
BP
1 F
66 Z
3122 486(s)U
556 564(p)U
556 486(routing)U
769(table)S
919(entries;)S
1135(that)S
1256(is,)S
1340(they)S
1476(apply)S
1645(rules)S
1796(referring)S
2049(to)S
2123(more)S
2280(speci\256c)S
2503(addresses)S
2778(\(such)S
2943(as)S
3020(rule)S
589 564(ertaining)U
850(to)S
929(speci\256c)S
1158(hosts\))S
1344(before)S
1540(rules)S
1696(with)S
1841(less)S
1967(speci\256c)S
2195(addresses)S
2475(\(such)S
2645(as)S
2727(rules)S
2882(pertaining)S
3115 642(h)U
556 720(t)U
556 642(to)U
637(whole)S
828(subnets)S
1056(and)S
1181(networks\))S
1475([CHS91][Telebit92a].)S
2107(The)S
2239(more)S
2404(complex)S
2659(the)S
2768(way)S
2907(in)S
2987(whic)S
574 720(he)U
666(router)S
852(reorders)S
1097(rules,)S
1271(the)S
1380(more)S
1544(dif\256cult)S
1781(it)S
1846(is)S
1919(for)S
2025(the)S
2134(administrator)S
2513(to)S
2593(understand)S
2911(the)S
3020(rules)S
3131 798(,)U
556 876(w)U
556 798(and)U
685(their)S
839(applicati)S
1064(on;)S
1182(routers)S
1399(which)S
1593(apply)S
1772(rules)S
1933(in)S
2017(the)S
2130(order)S
2302(speci\256ed)S
2569(by)S
2668(the)S
2781(administrator)S
604 876(ithout)U
786(reordering)S
1089(the)S
1198(rules,)S
1372(are)S
1481(easier)S
1663(for)S
1769(an)S
1860(administrator)S
2239(to)S
2319(understand)S
2636(and)S
2759(con\256gure,)S
3053(and)S
3 F
556 1110(2)U
1 F
556 954(therefore)U
815(more)S
972(likely)S
1143(to)S
1216(yield)S
1369(correct)S
1573(and)S
1690(complete)S
1952(\256lter)S
2098(sets.)S
3 F
589 1110(.3.)U
700(A)S
770(packet)S
979(\256ltering)S
1224(example)S
1 F
706 1209(F)U
(or)R
822(example,)S
1085(consider)S
1332(this)S
1451(scenario.)S
1733(The)S
1859(network)S
2098(administrator)S
2471(of)S
2549(a)S
2601(company)S
2865(with)S
3005(Class)S
3130 1287(l)U
556 1365(\()U
556 1287(B)U
638(network)S
892(123.45)S
1112(wishes)S
1330(to)S
1419(disallow)S
1680(access)S
1886(from)S
2052(the)S
2170(Internet)S
2412(to)S
2500(his)S
2614(network)S
2867(in)S
2955(genera)S
578 1365(123.45.0.0/16\)\262.)U
1063(The)S
1190(administrator)S
1565(has)S
1677(a)S
1730(special)S
1936(subnet)S
2132(in)S
2207(his)S
2308(network)S
2548(\(123.45.6.0/24\))S
2982(that)S
3104(is)S
556 1521(w)U
556 1443(used)U
706(in)S
786(a)S
844(collaborati)S
1124(ve)S
1215(project)S
1426(with)S
1572(a)S
1630(local)S
1786(university)S
2078(which)S
2268(has)S
2385(class)S
2542(B)S
2614(network)S
2858(135.79;)S
3086(he)S
604 1521(ishes)U
761(to)S
837(permit)S
1032(access)S
1224(to)S
1299(the)S
1403(special)S
1609(subnet)S
1805(\(123.45.6.0/24\))S
2239(from)S
2391(all)S
2480(subnets)S
2702(of)S
2781(the)S
2885(university)S
3119 1599(e)U
556 1677(w)U
556 1599(\(135.79.0.0/16\).)U
1036(Finally,)S
1270(he)S
1363(wishes)S
1574(to)S
1655(deny)S
1813(access)S
2011(\(except)S
2234(to)S
2315(the)S
2425(subnet)S
2627(that)S
2755(is)S
2829(open)S
2987(to)S
3068(th)S
604 1677(hole)U
743(university\))S
1054(from)S
1208(a)S
1263(speci\256c)S
1490(subnet)S
1688(\(135.79.99.0/24\))S
2156(at)S
2228(the)S
2333(university,)S
2638(because)S
2871(the)S
2976(subnet)S
556 1833(e)U
556 1755(is)U
624(known)S
828(to)S
903(be)S
989(insecure)S
1232(and)S
1351(a)S
1404(haven)S
1585(for)S
1686(crackers.)S
1968(For)S
2084(simplicity,)S
2387(we)S
2488(will)S
2614(consider)S
2861(only)S
3002(pack-)S
585 1833(ts)U
654(\257owing)S
881(from)S
1034(the)S
1139(university)S
1427(to)S
1503(the)S
1608(corporation;)S
1954(symmetric)S
2256(rules)S
2409(\(reversing)S
2701(the)S
2805(SrcAddr)S
3053(and)S
3126 1911(-)U
556 1989(p)U
556 1911(DstAddr)U
807(in)S
881(each)S
1024(of)S
1102(the)S
1204(rules)S
1354(below\))S
1559(would)S
1746(need)S
1892(to)S
1965(be)S
2049(added)S
2228(to)S
2301(deal)S
2432(with)S
2571(packets)S
2790(from)S
2940(the)S
3042(cor)S
589 1989(oration)U
802(to)S
879(the)S
985(university.)S
1313(Rule)S
1463(C)S
1533(is)S
1603(the)S
5 F
1709(")S
1 F
(default)R
5 F
(")R
1 F
1973(rule,)S
2118(which)S
2305(speci\256es)S
2558(what)S
2712(happens)S
2954(if)S
3020(none)S
556 2067(of)U
633(the)S
735(other)S
892(rules)S
1042(apply.)S
3 F
706 2184(Rule)U
937(SrcAddr)S
1435(DstAddr)S
1900(Action)S
1 F
2053 2262(t)U
748(A)S
937(135.79.0.0/16)S
1435(123.45.6.0/24)S
1900(permi)S
750 2340(B)U
937(135.79.99.0/24)S
1435(123.45.0.0/16)S
1900(deny)S
1995 2418(y)U
706 2553(C)U
2418(C)T
937(0.0.0.0/0)S
1435(0.0.0.0/0)S
1900(den)S
750 2553(onsider)U
969(these)S
5 F
1129(")S
1 F
(sample)R
5 F
(")R
1 F
1396(packets,)S
1635(their)S
1780(desired)S
1995(treatment)S
2267(under)S
2442(the)S
2547(policy)S
2735(outlined)S
2974(above,)S
5 F
556 2709(")U
1 F
556 2631(and)U
687(their)S
843(treatment)S
1126(depending)S
1436(on)S
1538(whether)S
1786(the)S
1902(rules)S
2066(above)S
2259(are)S
2375(applied)S
2604(in)S
2691(order)S
5 F
2866(")S
1 F
(ABC)R
5 F
(")R
1 F
3093(or)S
584 2709(BAC)U
5 F
(")R
1 F
(.)R
3 F
706 2826(P)U
(acket)R
995(SrcAddr)S
1409(DstAddr)S
1790(Desired)S
2028(Action)S
2314(ABC)S
2476(action)S
2747(BAC)S
2909(action)S
1 F
784 2982(2)U
784 2904(1)U
995(135.79.99.1)S
1409(123.45.1.1)S
1790(deny)S
2314(deny)S
2464(\(B\))S
2747(deny)S
2897(\(B\))S
995 2982(135.79.99.1)U
1409(123.45.6.1)S
1790(permit)S
2314(permit)S
2507(\(A\))S
2 F
2747(deny)S
2893(\(B\))S
1 F
3010 3060(\))U
784 3138(4)U
784 3060(3)U
995(135.79.1.1)S
1409(123.45.6.1)S
1790(permit)S
2314(permit)S
2507(\(A\))S
2747(permit)S
2940(\(A)S
995 3138(135.79.1.1)U
1409(123.45.1.1)S
1790(deny)S
2314(deny)S
2464(\(C\))S
2747(deny)S
2897(\(C\))S
3122 3273(s)U
556 3351(f)U
706 3273(A)U
780(router)S
963(that)S
1087(applies)S
1299(the)S
1405(rules)S
1558(in)S
1634(the)S
1739(order)S
1903(ABC)S
2064(will)S
2191(achieve)S
2416(the)S
2521(desired)S
2736(results:)S
2951(packet)S
578 3351(rom)U
711(the)S
5 F
818(")S
1 F
(hacker)R
1048(haven)S
5 F
(")R
1 F
1260(subnet)S
1459(at)S
1533(the)S
1640(university)S
1930(to)S
2008(the)S
2115(company)S
2383(network)S
2626(in)S
2704(general)S
2924(\(such)S
3093(as)S
3130 3429(t)U
556 3507(a)U
556 3429(packet)U
752(1)S
810(above\))S
1014(will)S
1141(be)S
1228(denied)S
1428(\(by)S
1541(rule)S
1668(B\),)S
1776(packets)S
1997(from)S
2149(the)S
2253(university)S
5 F
2540(")S
1 F
(hacker)R
2767(haven)S
5 F
(")R
1 F
2976(subne)S
585 3507(t)U
641(the)S
758(university)S
1058(to)S
1146(the)S
1263(company's)S
1589(collaborati)S
1869(on)S
1972(subnet)S
2181(\(such)S
2361(as)S
2453(packet)S
2661(2)S
2731(above\))S
2947(will)S
3086(be)S
48 Z
556 3636(\262)U
6 F
556 3567(hhhhhhhhhhhhhhhhhh)U
1 F
676 3636(Throughout)U
920(this)S
1007(paper,)S
1143(the)S
1219(syntax)S
5 F
1362(")S
2 F
(a.b.c.d)R
1 F
(/)R
2 F
(y)R
5 F
(")R
1 F
1583(denotes)S
5 F
1747(")S
1 F
(the)R
1843(address)S
2 F
2005(a.b.c.d)S
1 F
(,)R
2164(with)S
2267(the)S
2343(top)S
2 F
2421(y)S
1 F
2459(bits)S
2545(signi\256cant)S
2761(for)S
2834(com-)S
2916 3696(-)U
676 3756(e)U
676 3696(parison)U
5 F
(")R
1 F
(.)R
866(In)S
923(other)S
1038(words,)S
1185(123.45.0.0/16)S
1467(means)S
1606(that)S
1694(the)S
1769(top)S
1847(16)S
1912(bits)S
1998(\(123.45\))S
2179(are)S
2254(signi\256cant)S
2470(for)S
2543(comparisons)S
2802(to)S
2855(oth)S
697 3756(r)U
748(addresses.)S
995(The)S
1104(address)S
1282(123.45.6.7)S
1520(thus)S
1634(matches)S
1824(123.0.0.0/8,)S
2087(123.45.0.0/16,)S
2398(and)S
2501(123.45.6/24,)S
2776(but)S
2871(not)S
676 3876(s)U
676 3816(123.45.99.0/24.)U
1011(A)S
1064(pattern)S
1214(with)S
1317(0)S
1358(signi\256cant)S
1574(bits)S
1660(\(such)S
1781(as)S
1838(0.0.0.0/0\))S
2040(matches)S
2213(any)S
2299(address,)S
2472(while)S
2595(a)S
2633(pattern)S
2782(with)S
2884(32)S
695 3876(igni\256cant)U
892(bits)S
978(\(such)S
1099(as)S
1156(123.45.6.7/32\))S
1454(matches)S
1627(only)S
1729(that)S
1817(particular)S
2016(address)S
2177(\(123.45.6.7\).)S
2458(This)S
2560(syntax)S
2702(is)S
2751(a)S
2789(simpler)S
676 3996(b)U
676 3936(form)U
790(of)S
851(expressing)S
1077(an)S
1143(address)S
1308(pattern)S
1461(than)S
1564(the)S
1643(traditional)S
5 F
1859(")S
1 F
(address,)R
2056(wildcard)S
2243(mask)S
5 F
(")R
1 F
2384(tuple,)S
2511(particularl)S
2706(y)S
2750(when)S
2874(the)S
700 3996(oundary)U
878(between)S
1058(the)S
1137(wildcarded)S
1370(and)S
1460(non-wildcarded)S
1781(bits)S
1871(doesn't)S
2033(fall)S
2117(on)S
2186(an)S
2252(8-bit)S
2362(boundary)S
2563(\(for)S
2655(instance,)S
2843(on)S
2911(a)S
2911 4056(e)U
676 4116(r)U
676 4056(Cisco)U
805(router,)S
951(the)S
1029(pattern)S
1181(123.0.0.0/8)S
1417(would)S
1556(be)S
1620(represented)S
1859(as)S
5 F
1918(")S
1 F
(123.0.0.0)R
2137(0.255.255.255)S
5 F
(")R
1 F
(,)R
2464(123.45.6.0/24)S
2748(would)S
2887(b)S
692 4116(epresented)U
922(as)S
5 F
988(")S
1 F
(123.45.6.0)R
1237(0.0.0.255)S
5 F
(")R
1 F
(,)R
1474(and)S
1568(123.45.6.240/28)S
1906(would)S
2051(be)S
2121(represented)S
2366(as)S
5 F
2431(")S
1 F
(123.45.6.240)R
2728(0.0.0.15)S
5 F
(")R
1 F
(\).)R
676 4236(o)U
676 4176(This)U
782(syntax)S
928(was)S
1024(originated)S
1238(in)S
1296(the)S
2 F
1374(KA9Q)S
1 F
1514(networking)S
1752(package)S
1928(for)S
2004(PCs,)S
2114(and)S
2203(is)S
2255(used)S
2363(in)S
2420(the)S
2498(Telebit)S
2 F
2652(NetBlazer)S
1 F
2863(and)S
700 4236(ther)U
790(products.)S
66 Z
1791 4548(-)U
1835(4)S
1890(-)S
EP
%%Page: ? 5
BP
5 F
66 Z
3120 486(")U
1 F
556 564(s)U
556 486(permitted)U
833(\(by)S
947(rule)S
1075(A\),)S
1188(packets)S
1411(from)S
1565(the)S
1671(university's)S
2008(general)S
2227(network)S
2469(to)S
2545(the)S
2650(company's)S
5 F
2964(")S
1 F
(open)R
582 564(ubnet)U
772(\(such)S
959(as)S
1057(packet)S
1271(3)S
1347(above\))S
1569(will)S
1714(be)S
1819(permitted)S
2113(\(by)S
2244(rule)S
2389(A\),)S
2519(and)S
2657(packets)S
2897(from)S
3068(the)S
3130 642(l)U
556 720(b)U
556 642(university's)U
895(general)S
1116(network)S
1360(to)S
1439(the)S
1547(company's)S
1864(general)S
2085(network)S
2329(\(such)S
2500(as)S
2582(packet)S
2780(4)S
2840(above\))S
3046(wil)S
589 720(e)U
640(denied)S
837(\(by)S
947(rule)S
1071(C\).)S
706 819(I)U
(f,)R
806(however,)S
1088(the)S
1206(router)S
1401(reorders)S
1655(the)S
1773(rules)S
1939(by)S
2043(sorting)S
2264(them)S
2433(into)S
2573(order)S
2750(by)S
2854(number)S
3093(of)S
3131 897(,)U
556 975(t)U
556 897(signi\256cant)U
855(bits)S
975(in)S
1051(the)S
1156(source)S
1353(address)S
1576(then)S
1714(number)S
1940(of)S
2020(signi\256cant)S
2319(bits)S
2439(in)S
2515(the)S
2620(destination)S
2933(address)S
574 975(he)U
664(same)S
827(set)S
928(of)S
1011(rules)S
1167(will)S
1297(be)S
1387(applied)S
1608(in)S
1687(the)S
1795(order)S
1962(BAC.)S
2164(If)S
2235(the)S
2342(rules)S
2497(are)S
2604(applied)S
2824(in)S
2902(the)S
3009(order)S
3 F
556 1209(2)U
1 F
556 1053(BAC,)U
731(packet)S
924(2)S
979(will)S
1103(be)S
1187(denied,)S
1401(when)S
1566(we)S
1665(want)S
1815(it)S
1873(to)S
1946(be)S
2030(permitted.)S
3 F
589 1209(.4.)U
700(Packet)S
912(\256ltering)S
1157(caveats)S
1977 1365(s)U
556(2.4.1.)S
750(Complexity)S
1098(of)S
1175(packet)S
1384(\256ltering)S
1629(speci\256cation)S
1 F
706 1464(In)U
785(fact,)S
924(there's)S
1127(a)S
1180(subtle)S
1360(error)S
1511(in)S
1585(this)S
1703(example)S
1948(that)S
2069(illustrates)S
2347(how)S
2484(dif\256cult)S
2715(it)S
2774(is)S
2841(to)S
2915(correctly)S
3130 1542(t)U
556 1620(a)U
556 1542(set)U
665(up)S
767(\256lters)S
952(using)S
1130(such)S
1286(low-level)S
1569(speci\256cations.)S
2001(Rule)S
2160(B)S
2239(above,)S
2448(which)S
2644(appears)S
2880(to)S
2966(restric)S
585 1620(ccess)U
751(from)S
906(the)S
5 F
1013(")S
1 F
(hacker)R
1243(haven)S
5 F
(")R
1 F
1455(net,)S
1579(is)S
1650(actually)S
1884(super\257uous)S
2216(and)S
2338(unnecessary,)S
2704(and)S
2826(is)S
2896(the)S
3002(cause)S
3119 1698(e)U
556 1776(r)U
556 1698(of)U
639(the)S
747(incorrect)S
1008(denial)S
1196(of)S
1279(packet)S
1478(2)S
1539(if)S
1607(the)S
1715(rules)S
1871(are)S
1979(applied)S
2200(in)S
2279(the)S
2386(order)S
2552(BAC.)S
2754(If)S
2825(you)S
2951(remov)S
578 1776(ule)U
693(B,)S
789(both)S
941(types)S
1115(of)S
1205(routers)S
1422(\(those)S
1617(that)S
1749(apply)S
1929(rules)S
2091(in)S
2176(the)S
2290(order)S
2463(speci\256ed,)S
2748(and)S
2877(those)S
3050(that)S
556 1932(r)U
556 1854(reorder)U
772(rules)S
926(by)S
1018(number)S
1245(of)S
1326(signi\256cant)S
1626(bits)S
1747(in)S
1824(source)S
2022(or)S
2103(destination)S
2417(addresses\))S
2718(will)S
2845(process)S
3068(the)S
578 1932(ules)U
706(in)S
779(the)S
881(order)S
1042(AC.)S
1195(When)S
1374(processed)S
1656(in)S
1729(that)S
1849(order,)S
2027(the)S
2129(result)S
2297(table)S
2446(becomes:)S
3 F
706 2049(Packet)U
995(SrcAddr)S
1409(DstAddr)S
1790(Desired)S
2028(Action)S
2314(AC)S
2432(action)S
1 F
784 2127(1)U
995(135.79.99.1)S
1409(123.45.1.1)S
1790(deny)S
2314(deny)S
2464(\(C\))S
2577 2205(\))U
784 2283(3)U
784 2205(2)U
995(135.79.99.1)S
1409(123.45.6.1)S
1790(permit)S
2314(permit)S
2507(\(A)S
995 2283(135.79.1.1)U
1409(123.45.6.1)S
1790(permit)S
2314(permit)S
2507(\(A\))S
556 2475(T)U
784 2361(4)U
995(135.79.1.1)S
1409(123.45.1.1)S
1790(deny)S
2314(deny)S
2464(\(C\))S
596 2475(here)U
741(are)S
853(two)S
984(points)S
1177(here.)S
1360(First,)S
1529(correctly)S
1793(specifying)S
2098(\256lters)S
2279(is)S
2354(dif\256cult.)S
2632(Second,)S
2874(reordering)S
3130 2553(t)U
556 2631(w)U
556 2553(\256ltering)U
791(rules)S
946(makes)S
1141(correctly)S
1400(specifying)S
1700(\256lters)S
1876(even)S
2026(more)S
2187(dif\256cult,)S
2438(by)S
2530(turning)S
2746(a)S
2801(\256lter)S
2951(set)S
3050(tha)S
604 2631(orks)U
748(\(even)S
924(if)S
994(it's)S
1108(in)S
1189(fact)S
1317(overspeci\256ed\))S
1720(if)S
1790(evaluated)S
2071(in)S
2152(the)S
2262(order)S
2431(given)S
2606(into)S
2737(a)S
2795(\256lter)S
2948(set)S
3050(that)S
556 2709(doesn't)U
772(work.)S
706 2808(Even)U
875(though)S
1092(the)S
1206(example)S
1462(presented)S
1748(above)S
1938(is)S
2015(a)S
2077(relativel)S
2291(y)S
2357(simple)S
2565(applicati)S
2790(on)S
2889(of)S
2977(packet)S
556 2964(u)U
556 2886(\256ltering,)U
809(most)S
965(administrators)S
1368(will)S
1497(probably)S
1758(read)S
1898(through)S
2130(it)S
2193(several)S
2406(times)S
2575(before)S
2770(they)S
2910(feel)S
3035(they)S
589 2964(nderstand)U
869(what)S
1021(is)S
1089(going)S
1263(on.)S
1392(Consider)S
1654(that)S
1776(the)S
1880(more)S
2039(dif\256cult)S
2271(the)S
2375(rules)S
2526(are)S
2629(to)S
2703(comprehend,)S
3068(the)S
3119 3042(e)U
556 3120(s)U
556 3042(less)U
685(likely)S
864(the)S
973(rules)S
1130(will)S
1261(be)S
1352(correct)S
1563(and)S
1687(complete.)S
1995(The)S
2126(way)S
2265(in)S
2345(which)S
2535(\256ltering)S
2772(rules)S
2929(must)S
3086(b)S
582 3120(peci\256ed)U
824(and)S
953(the)S
1067(order)S
1240(in)S
1325(which)S
1520(they)S
1667(are)S
1781(applied)S
2008(are)S
2122(key)S
2251(determinant)S
2564(s)S
2624(of)S
2712(how)S
2859(useful)S
3053(and)S
3126 3198(-)U
556 3276(t)U
556 3198(powerful)U
820(a)S
875(given)S
1047(router's)S
1278(\256ltering)S
1512(capabilit)S
1737(ies)S
1835(are.)S
1979(Most)S
2140(implement)S
2420(ations)S
2602(require)S
2813(the)S
2918(adminis)S
574 3276(rator)U
726(to)S
804(specify)S
1021(\256lters)S
1198(in)S
1276(ways)S
1439(which)S
1627(make)S
1796(the)S
1903(\256lters)S
2080(easy)S
2224(for)S
2328(the)S
2435(router)S
2619(to)S
2697(parse)S
2863(and)S
2985(apply,)S
3 F
556 3510(2)U
1 F
556 3354(but)U
662(make)S
826(them)S
979(very)S
1118(dif\256cult)S
1348(for)S
1447(the)S
1549(administrator)S
1921(to)S
1994(comprehend)S
2341(and)S
2458(consider.)S
3 F
589 3510(.4.2.)U
750(Reliance)S
1013(on)S
1105(accurate)S
1368(IP)S
1456(source)S
1661(addresses)S
1 F
706 3609(M)U
(ost)R
868(\256ltering)S
1102(implement)S
1382(ations,)S
1582(of)S
1663(necessity,)S
1947(rely)S
2075(on)S
2167(the)S
2273(accuracy)S
2532(of)S
2613(IP)S
2698(source)S
2895(addresses)S
556 3765([)U
556 3687(to)U
634(make)S
803(\256ltering)S
1038(decisions.)S
1327(IP)S
1413(source)S
1612(addresses)S
1892(can)S
2010(easily)S
2190(be)S
2278(faked,)S
2467(however,)S
2737(as)S
2818(discussed)S
3097(in)S
578 3765(Bellovin89],)U
948([Kent89],)S
1242([Bellovin92a],)S
1663(and)S
1797([Bellovin92b].)S
2243(This)S
2398(is)S
2480(a)S
2547(particular)S
2836(case)S
2987(where)S
3130 3843(l)U
556 3921(m)U
556 3843(being)U
729(able)S
865(to)S
943(\256lter)S
1094(inbound)S
1337(packets)S
1561(is)S
1631(useful.)S
1835(If)S
1905(a)S
1960(packet)S
2157(that)S
2281(appears)S
2508(to)S
2585(be)S
2673(from)S
2827(one)S
2948(interna)S
607 3921(achine)U
801(to)S
875(another)S
1095(internal)S
1318(machine)S
1563(comes)S
1754(in)S
1828(over)S
1968(the)S
2070(link)S
2194(from)S
2344(the)S
2446(outside)S
2658(world,)S
2851(you)S
2972(should)S
3115 3999(n)U
556 4077(t)U
556 3999(be)U
643(mighty)S
854(suspicious.)S
1193(If)S
1262(your)S
1407(router)S
1588(can)S
1703(be)S
1789(told)S
1915(to)S
1990(drop)S
2135(such)S
2280(packets)S
2501(using)S
2668(inbound)S
2908(\256lters)S
3082(o)S
574 4077(he)U
672(external)S
919(interface,)S
1201(your)S
1358(\256ltering)S
1601(speci\256cations)S
1994(for)S
2106(internal)S
2341(interfaces)S
2631(can)S
2757(be)S
2854(made)S
3031(both)S
556 4155(much)U
724(simpler)S
943(and)S
1060(more)S
1217(secure.)S
1791 4548(-)U
1835(5)S
1890(-)S
EP
%%Page: ? 6
BP
3 F
66 Z
556 486(2.4.3.)U
750(Dangers)S
1007(of)S
1084(IP)S
1172(source)S
1377(routing)S
1 F
706 585(Another)U
946(IP)S
1029(feature)S
1235(ripe)S
1361(for)S
1461(potential)S
1713(abuse)S
1886(is)S
1953(IP)S
2035(source)S
2230(routing.)S
2482(Essentially,)S
2810(an)S
2895(IP)S
2977(packet)S
556 741(t)U
556 663(with)U
699(source)S
897(routing)S
1113(information)S
1449(included)S
1701(tells)S
1836(routers)S
2045(how)S
2185(to)S
2262(route)S
2423(the)S
2529(packet,)S
2743(rather)S
2922(than)S
3061(let-)S
574 741(ing)U
688(the)S
798(routers)S
1010(decide)S
1210(for)S
1316(themselves.)S
1676(An)S
1786(attacker)S
2022(could)S
2197(use)S
2314(this)S
2438(to)S
2518(their)S
2667(advantage)S
2962([Bello-)S
3126 819(r)U
556 897(i)U
556 819(vin89].)U
793(Unless)S
999(you)S
1124(have)S
1274(a)S
1329(speci\256c)S
1556(need)S
1705(to)S
1781(allow)S
1952(packets)S
2174(with)S
2316(IP)S
2400(source)S
2597(routes)S
2783(between)S
3027(you)S
574 897(nternal)U
783(network)S
1026(and)S
1148(the)S
1254(outside)S
1470(world,)S
1667(it's)S
1777(probably)S
2037(a)S
2092(good)S
2250(idea)S
2385(for)S
2488(your)S
2635(router)S
2818(to)S
2895(ignore)S
3089(IP)S
3126 975(-)U
556 1053(a)U
556 975(source)U
753(route)S
913(instructions;)S
1263(whether)S
1500(source)S
1697(routing)S
1912(can)S
2028(be)S
2115(disabled,)S
2376(whether)S
2613(it)S
2674(is)S
2742(enabled)S
2970(or)S
3049(dis)S
585 1053(bled)U
720(by)S
808(default,)S
1029(and)S
1146(how)S
1282(to)S
1355(disable)S
1563(it)S
1621(vary)S
1760(from)S
1910(vendor)S
2115(to)S
2188(vendor.)S
3 F
556 1209(2.4.4.)U
750(Complications)S
1179(due)S
1304(to)S
1381(IP)S
1469(fragmentation)S
1 F
706 1308(Yet)U
831(another)S
1058(complicat)S
1316(ion)S
1430(to)S
1511(packet)S
1712(\256ltering)S
1950(is)S
2024(IP)S
2113(packet)S
2313(fragmentati)S
2615(on.)S
2727(IP)S
2815(supports)S
3068(the)S
3126 1386(r)U
556 1464(p)U
556 1386(notion)U
754(that)S
882(any)S
1007(router)S
1194(along)S
1370(a)S
1428(packet's)S
1676(path)S
1818(may)S
5 F
1960(")S
1 F
(fragment)R
5 F
(")R
1 F
2282(that)S
2409(packet)S
2609(into)S
2740(several)S
2955(smalle)S
589 1464(ackets,)U
795(to)S
871(accommodat)S
1206(e)S
1260(the)S
1365(limitat)S
1535(ions)S
1670(of)S
1750(underlying)S
2060(media,)S
2262(to)S
2337(be)S
2423(reassembled)S
2772(into)S
2898(the)S
3002(origi-)S
3130 1542(t)U
556 1620(f)U
556 1542(nal)U
661(IP)S
745(packet)S
941(at)S
1013(the)S
1118(destination.)S
1470(For)S
1587(instance,)S
1844(an)S
1931(FDDI)S
2111(frame)S
2288(is)S
2356(much)S
2526(larger)S
2703(than)S
2840(an)S
2926(Etherne)S
578 1620(rame;)U
753(a)S
808(router)S
991(between)S
1236(an)S
1324(FDDI)S
1505(ring)S
1637(and)S
1758(an)S
1846(Ethernet)S
2094(may)S
2233(need)S
2383(to)S
2460(split)S
2599(an)S
2687(IP)S
2772(packet)S
2969(that)S
3093(\256t)S
556 1776(p)U
556 1698(in)U
634(a)S
690(single)S
874(FDDI)S
1056(frame)S
1235(into)S
1363(multiple)S
1607(fragments)S
1896(that)S
2020(\256t)S
2101(into)S
2229(the)S
2335(smaller)S
2554(Ethernet)S
2802(frames.)S
3046(The)S
589 1776(roblem)U
804(with)S
950(this,)S
1091(from)S
1248(a)S
1306(packet)S
1505(\256ltering)S
1741(point)S
1904(of)S
1987(view,)S
2160(is)S
2232(that)S
2358(only)S
2503(the)S
2611(\256rst)S
2742(of)S
2825(the)S
2933(IP)S
3020(frag-)S
556 1932(m)U
556 1854(ments)U
745(has)S
865(the)S
977(higher-level)S
1326(protocol)S
1577(\(TCP)S
1752(or)S
1839(UDP\))S
2026(headers)S
2259(from)S
2419(the)S
2531(original)S
2767(packet,)S
2987(which)S
607 1932(ay)U
704(be)S
801(necessary)S
1092(to)S
1178(make)S
1355(a)S
1419(\256ltering)S
1662(decision)S
1915(concerning)S
2241(the)S
2355(fragment.)S
2665(Different)S
2940(\256ltering)S
3119 2010(e)U
556 2088(\256)U
556 2010(implement)U
836(ations)S
1023(take)S
1162(a)S
1221(variety)S
1433(of)S
1518(responses)S
1805(to)S
1886(this)S
2011(situation.)S
2306(Some)S
2486(apply)S
2662(\256lters)S
2842(only)S
2988(to)S
3068(th)S
593 2088(rst)U
689(fragment)S
956(\(which)S
1169(contains)S
1418(the)S
1528(necessary)S
1814(higher-level)S
2161(protocol)S
2410(headers\),)S
2680(and)S
2805(simply)S
3013(route)S
3119 2166(e)U
556 2244(f)U
556 2166(the)U
665(rest,)S
806(on)S
901(the)S
1010(assumption)S
1339(that)S
1466(if)S
1535(the)S
1644(\256rst)S
1776(fragment)S
2041(is)S
2113(dropped)S
2357(by)S
2451(the)S
2559(\256lters,)S
2754(the)S
2862(rest)S
2985(of)S
3068(th)S
578 2244(ragments)U
848(can't)S
1008(be)S
1099(reassembled)S
1453(into)S
1584(a)S
1642(full)S
1762(packet,)S
1979(and)S
2103(will)S
2234(cause)S
2409(no)S
2503(harm)S
2666([CHS91].)S
2972(Others)S
556 2400(l)U
556 2322(keep)U
709(a)S
767(cache)S
945(of)S
1029(recently-seen)S
1408(\256rst)S
1540(fragments)S
1832(and)S
1956(the)S
2064(\256ltering)S
2300(decision)S
2547(that)S
2673(was)S
2804(reached,)S
3053(and)S
574 2400(ook)U
702(up)S
797(non-\256rst)S
1050(fragments)S
1342(in)S
1422(this)S
1546(cache)S
1723(in)S
1802(order)S
1969(to)S
2048(apply)S
2222(the)S
2330(same)S
2493(decision)S
2740([Mogul89].)S
3093(In)S
3130 2478(t)U
556 2556(b)U
556 2478(particular,)U
852(it)S
916(is)S
988(dangerous)S
1287(to)S
1366(suppress)S
1622(only)S
1767(the)S
1875(\256rst)S
2005(fragment)S
2269(of)S
2351(outbound)S
2627(packets;)S
2869(you)S
2995(migh)S
589 2556(e)U
640(leaking)S
855(valuable)S
1099(data)S
1230(in)S
1303(the)S
1405(non-\256rst)S
1651(fragments)S
1936(that)S
2056(are)S
2158(routed)S
2348(on)S
2436(out.)S
3 F
556 2712(3.)U
650(Filtering-Relate)S
1095(d)S
1154(Characteristics)S
1604(of)S
1681(Application)S
2033(Protocols)S
1 F
706 2811(Each)U
870(applicati)S
1095(on)S
1194(protocol)S
1446(has)S
1566(its)S
1660(own)S
1806(particular)S
2089(characteri)S
2347(stics)S
2496(that)S
2626(relate)S
2803(to)S
2886(IP)S
2977(packet)S
556 2967(g)U
556 2889(\256ltering,)U
815(that)S
947(may)S
1094(or)S
1183(may)S
1330(not)S
1448(differ)S
1627(from)S
1788(other)S
1956(protocols.)S
2273(Particular)S
2561(implement)S
2841(ations)S
3031(of)S
3119(a)S
589 2967(iven)U
730(protocol)S
977(also)S
1111(have)S
1263(their)S
1411(own)S
1553(characteri)S
1811(stics)S
1956(that)S
2082(are)S
2190(not)S
2301(a)S
2357(result)S
2530(of)S
2612(the)S
2719(protocol)S
2965(per)S
3076(se,)S
556 3123(t)U
556 3045(but)U
663(a)S
715(result)S
883(of)S
960(design)S
1154(decisions)S
1421(made)S
1585(by)S
1673(the)S
1775(implement)S
2055(ors.)S
2197(Since)S
2365(these)S
2522(implement)S
2802(ation)S
2955(charac-)S
574 3123(eristics)U
787(are)S
894(not)S
1005(covered)S
1240(in)S
1318(the)S
1425(speci\256cation)S
1784(of)S
1866(the)S
1973(protocol)S
2219(\(though)S
2450(they)S
2589(aren't)S
2768(counter)S
2991(to)S
3068(the)S
3131 3201(,)U
556 3279(a)U
556 3201(speci\256cation\),)U
954(they)S
1094(are)S
1201(likely)S
1377(to)S
1455(vary)S
1599(between)S
1845(different)S
2098(implement)S
2378(ations)S
2562(of)S
2644(the)S
2751(same)S
2912(protocol)S
585 3279(nd)U
678(might)S
858(change)S
1071(even)S
1222(within)S
1417(a)S
1473(given)S
1646(implement)S
1926(ation)S
2083(as)S
2164(that)S
2288(implement)S
2568(ation)S
2725(evolves.)S
2991(These)S
3122 3357(s)U
556 3435(t)U
556 3357(characteri)U
814(stics)S
959(include)S
1180(what)S
1336(port)S
1469(a)S
1525(server)S
1713(uses,)S
1871(what)S
2026(port)S
2159(a)S
2215(client)S
2387(uses,)S
2545(whether)S
2784(the)S
2891(service)S
3104(i)S
574 3435(ypically)U
812(offered)S
1029(over)S
1173(UDP)S
1333(or)S
1415(TCP)S
1563(or)S
1645(both,)S
1806(and)S
1928(so)S
2014(forth.)S
2207(An)S
2314(understanding)S
2713(of)S
2794(these)S
2955(charac-)S
556 3591(p)U
556 3513(teristics)U
787(is)S
858(essential)S
1111(for)S
1215(setting)S
1417(up)S
1510(effective)S
1766(\256lters)S
1943(to)S
2021(allow,)S
2211(disallow,)S
2478(or)S
2560(limit)S
2710(the)S
2817(use)S
2932(of)S
3013(these)S
589 3591(rotocols.)U
869(Appendix)S
1158(A)S
1235(discusses)S
1510(in)S
1590(detail)S
1764(the)S
1873(\256ltering-relat)S
2219(ed)S
2310(characteri)S
2568(stics)S
2714(of)S
2798(several)S
3013(com-)S
3 F
556 3825(3)U
1 F
556 3669(mon)U
695(protocols.)S
3 F
589 3825(.1.)U
5 F
700(")S
3 F
(Rand)R
883(om)S
5 F
(")R
3 F
1021(ports)S
1190(aren't)S
1384(really)S
1566(random)S
1 F
706 3924(A)U
(lthough)R
980(implement)S
1260(ations)S
1442(of)S
1522(various)S
1741(protocols)S
2011(might)S
2189(appear)S
2389(to)S
2465(use)S
2578(a)S
5 F
2632(")S
1 F
(random)R
5 F
(")R
1 F
2914(ports)S
3071(for)S
556 4080(u)U
556 4002(the)U
666(client)S
841(end)S
966(and)S
1091(a)S
1150(well-known)S
1495(port)S
1631(for)S
1738(the)S
1848(server)S
2039(end,)S
2181(the)S
2291(ports)S
2452(chosen)S
2664(for)S
2770(the)S
2879(client)S
3053(end)S
589 4080(sed)U
699(are)S
801(usually)S
1013(not)S
1119(totally)S
1308(random.)S
1548(While)S
1730(not)S
1836(explicitl)S
2050(y)S
2105(supported)S
2387(by)S
2475(the)S
2577(RFCs,)S
2767(systems)S
2998(based)S
556 4236(o)U
556 4158(on)U
648(BSD)S
803(UNIX)S
995(usually)S
1211(reserve)S
1427(ports)S
1585(below)S
1772(1024)S
1930(for)S
2033(use)S
2147(by)S
5 F
2239(")S
1 F
(privileged)R
5 F
(")R
1 F
2587(processes,)S
2882(and)S
3002(allow)S
589 4236(nly)U
707(processes)S
994(running)S
1233(as)S
1322(root)S
1462(to)S
1547(bind)S
1698(to)S
1783(those)S
1956(ports;)S
2140(conversely,)S
2475(non-privileged)S
2895(processes)S
3122 4314(s)U
556(must)S
711(use)S
826(ports)S
984(at)S
1057(or)S
1138(above)S
1321(1024.)S
1518(Further,)S
1755(if)S
1821(a)S
1876(program)S
2125(doesn't)S
2345(request)S
2561(a)S
2616(particular)S
2893(port,)S
3042(it)S
3104(i)S
1791 4548(-)U
1835(6)S
1890(-)S
EP
%%Page: ? 7
BP
1 F
66 Z
3131 486(,)U
556 564(t)U
556 486(often)U
719(simply)S
926(assigned)S
1181(the)S
1289(port)S
1423(after)S
1571(the)S
1678(last)S
1796(one)S
1918(assigned;)S
2190(if)S
2257(the)S
2364(last)S
2482(port)S
2615(assigned)S
2869(was)S
2999(5150)S
574 564(he)U
658(next)S
793(one)S
910(assigned)S
1159(will)S
1283(probably)S
1539(be)S
1623(5151.)S
3 F
1761 720(s)U
556(3.2.)S
700(Privilege)S
947(d)S
1006(versus)S
1208(non-privileged)S
1640(port)S
1 F
706 819(The)U
832(distinction)S
1133(between)S
5 F
1376(")S
1 F
(privileged)R
5 F
(")R
1 F
1721(and)S
5 F
1839(")S
1 F
(non-privileged)R
5 F
(")R
1 F
2305(ports)S
2460(\(those)S
2644(below)S
2828(1024)S
2983(and)S
3101(at)S
3130 897(t)U
556 975(d)U
556 897(or)U
639(above)S
824(1024,)S
1001(respectively\))S
1368(is)S
1440(found)S
1622(throughout)S
1939(BSD-based)S
2268(systems)S
2505(\(and)S
2650(other)S
2813(systems)S
3050(tha)S
589 975(raw)U
718(from)S
875(a)S
933(BSD)S
1091(background;)S
1449(keep)S
1602(in)S
1682(mind)S
1846(that)S
1973(almost)S
2177(all)S
2271(UNIX)S
2466(IP)S
2554(networking,)S
2900(including)S
3126 1053(-)U
556 1131(t)U
556 1053(SysV)U
723(IP)S
805(networking,)S
1145(draws)S
1326(heavily)S
1542(from)S
1693(the)S
1796(original)S
2023(BSD)S
2175(network)S
2414(implement)S
2694(ation\).)S
2909(This)S
3049(dis)S
574 1131(inction)U
784(is)S
856(not)S
968(codi\256ed)S
1208(in)S
1287(the)S
1395(RFCs,)S
1591(and)S
1714(is)S
1786(therefore)S
2051(best)S
2185(regarded)S
2443(as)S
2526(a)S
2582(widely)S
2788(used)S
2936(conven-)S
556 1287(c)U
556 1209(tion,)U
705(but)S
818(not)S
931(as)S
1015(a)S
1073(standard.)S
1364(Nonetheless,)S
1732(if)S
1801(you're)S
2002(protecting)S
2297(UNIX)S
2492(systems,)S
2747(the)S
2856(convention)S
585 1287(an)U
676(be)S
767(a)S
825(useful)S
1014(one.)S
1154(You)S
1296(can,)S
1432(for)S
1537(instance,)S
1797(generally)S
2069(forbid)S
2258(all)S
2351(inbound)S
2595(connections)S
2937(to)S
3016(ports)S
556 1443(t)U
556 1365(below)U
742(1024,)S
916(and)S
1036(then)S
1174(open)S
1326(up)S
1416(speci\256c)S
1641(exceptions)S
1946(for)S
2047(speci\256c)S
2272(services)S
2508(that)S
2630(you)S
2753(wish)S
2902(to)S
2977(enable)S
574 1443(he)U
663(outside)S
880(world)S
1061(to)S
1139(use,)S
1271(such)S
1419(as)S
1501(SMTP,)S
1718(TELNET,)S
2010(or)S
2092(FTP;)S
2251(to)S
2329(allow)S
2502(the)S
5 F
2609(")S
1 F
(return)R
5 F
(")R
1 F
2848(packets)S
3071(for)S
556 1599(1)U
556 1521(connections)U
901(to)S
983(such)S
1135(services,)S
1395(you)S
1525(allow)S
1702(all)S
1798(packets)S
2026(to)S
2108(external)S
2349(destination)S
2667(ports)S
2829(at)S
2906(or)S
2991(above)S
589 1599(024.)U
706 1698(While)U
891(it)S
952(would)S
1142(simplify)S
1386(\256ltering)S
1619(if)S
1684(all)S
1774(services)S
2011(were)S
2163(offered)S
2377(on)S
2467(ports)S
2623(below)S
2808(1024)S
2964(and)S
3083(all)S
556 1854(a)U
556 1776(clients)U
753(used)S
900(ports)S
1058(at)S
1131(or)S
1211(above)S
1393(1024,)S
1567(many)S
1738(vulnerable)S
2040(services)S
2277(\(such)S
2445(as)S
2525(X,)S
2615(OpenWindows,)S
3053(and)S
609 1854(number)U
834(of)S
913(database)S
1163(servers\))S
1396(use)S
1508(server)S
1693(ports)S
1849(at)S
1920(or)S
1998(above)S
2178(1024,)S
2350(and)S
2468(several)S
2677(vulnerable)S
2977(clients)S
556 2010(e)U
556 1932(\(such)U
730(as)S
816(the)S
927(Berkeley)S
1195(r*)S
1281(programs\))S
1583(use)S
1701(client)S
1876(ports)S
2038(below)S
2229(1024.)S
2430(These)S
2617(should)S
2823(be)S
2915(carefully)S
585 2010(xcepted)U
816(from)S
971(the)S
5 F
1078(")S
1 F
(allow)R
1279(all)S
1371(packets)S
1595(to)S
1673(destination)S
1988(ports)S
2147(at)S
2221(or)S
2303(above)S
2487(1024)S
5 F
(")R
1 F
2674(type)S
2814(of)S
2896(rules)S
3050(that)S
3 F
556 2244(4)U
1 F
556 2088(allow)U
724(return)S
903(packets)S
1122(for)S
1221(outbound)S
1492(services.)S
3 F
589 2244(.)U
650(Problems)S
939(With)S
1104(Current)S
1357(Packet)S
1569(Filtering)S
1835(Implementations)S
1 F
3115 2343(n)U
556 2421(t)U
706 2343(IP)U
792(packet)S
990(\256ltering,)S
1242(while)S
1415(a)S
1471(useful)S
1659(network)S
1901(security)S
2135(tool,)S
2280(is)S
2350(not)S
2460(a)S
2515(panacea,)S
2769(particularl)S
3038(y)S
3097(i)S
574 2421(he)U
662(form)S
816(in)S
893(which)S
1080(it)S
1142(is)S
1211(currently)S
1473(implement)S
1753(ed)S
1840(by)S
1931(many)S
2102(vendors.)S
2375(Problems)S
2649(with)S
2791(many)S
2962(current)S
556 2577(U)U
556 2499(implement)U
836(ations)S
1016(include)S
1232(complexity)S
1550(of)S
1628(con\256guration)S
2002(and)S
2119(administrati)S
2432(on,)S
2537(omission)S
2797(of)S
2874(the)S
2976(source)S
604 2577(DP/TCP)U
855(port)S
988(from)S
1143(the)S
1250(\256elds)S
1420(that)S
1545(\256ltering)S
1780(can)S
1898(be)S
1987(based)S
2163(on,)S
2272(unexpected)S
2597(interacti)S
2811(ons)S
2929(between)S
3119 2655(e)U
556 2733(s)U
5 F
556 2655(")U
1 F
(unrelated)R
5 F
(")R
1 F
897(parts)S
1066(of)S
1162(the)S
1283(\256lter)S
1448(rule)S
1591(set,)S
1721(cumbersome)S
2097(\256lter)S
2261(speci\256cations)S
2659(forced)S
2867(by)S
2973(simpl)S
582 2733(peci\256cation)U
927(mechanisms,)S
1308(a)S
1376(lack)S
1523(of)S
1616(testing)S
1829(and)S
1962(debugging)S
2278(tools,)S
2461(and)S
2594(an)S
2694(inability)S
2950(to)S
3039(deal)S
3 F
556 2967(4)U
1 F
556 2811(effectivel)U
803(y)S
858(with)S
997(RPC-based)S
1316(protocols)S
1583(such)S
1726(as)S
1803(YP/NIS)S
2035(and)S
2152(NFS.)S
3 F
589 2967(.1.)U
700(Filters)S
904(are)S
1017(dif\256cult)S
1259(to)S
1336(con\256gure)S
1 F
706 3066(T)U
(he)R
832(\256rst)S
959(problem)S
1202(with)S
1343(many)S
1513(current)S
1723(IP)S
1806(packet)S
2001(\256ltering)S
2232(implement)S
2512(ations)S
2692(as)S
2770(network)S
3009(secu-)S
556 3222(t)U
556 3144(rity)U
670(mechanisms)S
1018(is)S
1085(that)S
1206(the)S
1309(\256ltering)S
1540(is)S
1607(usually)S
1820(very)S
1960(dif\256cult)S
2191(to)S
2265(con\256gure,)S
2554(modify,)S
2784(maintain,)S
3053(and)S
574 3222(est,)U
689(leaving)S
906(the)S
1010(administrator)S
1384(with)S
1525(little)S
1668(con\256dence)S
1977(that)S
2099(the)S
2203(\256lters)S
2377(are)S
2481(correctly)S
2738(and)S
2857(completel)S
3115(y)S
3119 3300(e)U
556 3378(r)U
556 3300(speci\256ed.)U
859(The)S
990(simple)S
1194(syntax)S
1395(used)S
1545(in)S
1625(many)S
1800(\256ltering)S
2037(implement)S
2317(ations)S
2503(makes)S
2700(life)S
2816(easy)S
2962(for)S
3068(th)S
578 3378(outer)U
739(\(it's)S
871(easy)S
1014(for)S
1116(the)S
1221(router)S
1403(to)S
1479(parse)S
1643(the)S
1748(\256lter)S
1897(speci\256cations,)S
2297(and)S
2417(fast)S
2537(for)S
2639(the)S
2744(router)S
2926(to)S
3002(apply)S
3115 3456(d)U
556 3534(o)U
556 3456(them\),)U
750(but)S
857(dif\256cult)S
1088(for)S
1188(the)S
1291(administrator)S
1664(\(it's)S
1793(like)S
1914(programming)S
2295(in)S
2369(assembly)S
2637(language\).)S
2958(Instea)S
589 3534(f)U
638(being)S
811(able)S
947(to)S
1025(use)S
1140(high-level)S
1433(language)S
1697(abstractions)S
2037(\()S
5 F
(")R
1 F
(if)R
2153(this)S
2274(and)S
2395(that)S
2519(and)S
2640(not)S
2750(something-else)S
3130 3612(;)U
556 3690(t)U
556 3612(then)U
692(permit)S
886(else)S
1011(deny)S
5 F
(")R
1 F
(\),)R
1229(the)S
1332(administrator)S
1705(is)S
1772(forced)S
1963(to)S
2037(produce)S
2272(a)S
2324(tabular)S
2529(representation)S
2924(of)S
3002(rules)S
574 3690(he)U
658(desired)S
870(behavior)S
1122(may)S
1257(or)S
1334(may)S
1469(not)S
1575(map)S
1710(well)S
1845(on)S
1933(to)S
2006(such)S
2149(a)S
2200(representation.)S
3130 3789(t)U
556 3867(\256)U
706 3789(Administrators)U
1125(often)S
1284(consider)S
1531(networking)S
1855(activity)S
2075(in)S
2150(terms)S
2320(of)S
5 F
2398(")S
1 F
(connections)R
5 F
(")R
1 F
(,)R
2808(while)S
2977(packe)S
593 3867(ltering,)U
804(by)S
893(de\256nition,)S
1185(is)S
1252(concerned)S
1545(with)S
1685(the)S
1788(packets)S
2008(making)S
2228(up)S
2317(a)S
2368(connection.)S
2695(An)S
2798(administrator)S
3130 3945(t)U
556 4023(l)U
556 3945(might)U
741(think)S
908(in)S
990(terms)S
1167(of)S
5 F
1253(")S
1 F
(an)R
1374(inbound)S
1621(SMTP)S
1825(connection)S
5 F
(")R
1 F
(,)R
2189(but)S
2304(this)S
2430(must)S
2589(be)S
2682(translated)S
2968(into)S
3101(a)S
574 4023(east)U
701(two)S
825(\256ltering)S
1058(rules)S
1211(\(one)S
1353(for)S
1455(the)S
1560(inbound)S
1801(packets)S
2023(from)S
2176(the)S
2281(client)S
2451(to)S
2527(the)S
2631(server,)S
2833(and)S
2952(one)S
3071(for)S
3126 4101(-)U
556 4179(t)U
556 4101(the)U
661(outbound)S
935(packets)S
1157(from)S
1309(the)S
1413(server)S
1598(back)S
1746(to)S
1821(the)S
1925(client\))S
2116(in)S
2191(a)S
2244(table-driven)S
2585(\256ltering)S
2817(implement)S
3097(a)S
574 4179(ion.)U
723(The)S
851(concept)S
1080(of)S
1160(a)S
1214(connection)S
1527(is)S
1596(applied)S
1814(even)S
1963(when)S
2131(considering)S
2463(a)S
2517(connectionle)S
2852(ss)S
2929(protocol)S
556 4335(c)U
556 4257(such)U
709(as)S
796(UDP)S
961(or)S
1048(ICMP;)S
1260(for)S
1369(instance,)S
1633(administrators)S
2040(speak)S
2221(of)S
5 F
2307(")S
1 F
(NFS)R
2488(connections)S
5 F
(")R
1 F
2861(and)S
5 F
2987(")S
1 F
(DNS)R
585 4335(onnections)U
5 F
(")R
1 F
(.)R
969(This)S
1117(mismatch)S
1403(between)S
1653(the)S
1764(abstractions)S
2109(used)S
2261(by)S
2358(many)S
2535(administrators)S
2942(and)S
3068(the)S
1791 4548(-)U
1835(7)S
1890(-)S
EP
%%Page: ? 8
BP
1 F
66 Z
556 486(m)U
(echanisms)R
927(provided)S
1207(by)S
1319(many)S
1511(\256ltering)S
1765(implement)S
2045(ations)S
2248(contributes)S
2586(to)S
2682(the)S
2807(dif\256culty)S
3093(of)S
3 F
556 720(4)U
1 F
556 564(correctly)U
811(and)S
928(completel)S
1186(y)S
1241(specifying)S
1537(packet)S
1730(\256lters.)S
3 F
589 720(.2.)U
700(TCP)S
854(and)S
983(UDP)S
1141(source)S
1346(port)S
1489(are)S
1602(often)S
1767(omitted)S
2005(from)S
2166(\256ltering)S
2411(criteria)S
1 F
3111 819(P)U
556 897(p)U
706 819(Another)U
946(problem)S
1189(is)S
1256(that)S
1377(current)S
1586(\256ltering)S
1817(implement)S
2097(ations)S
2277(often)S
2435(omit)S
2578(the)S
2681(source)S
2876(UDP/TC)S
589 897(ort)U
692(from)S
850(consideration)S
1234(in)S
1315(\256ltering)S
1552(rules,)S
1726(leading)S
1948(to)S
2028(common)S
2287(cases)S
2455(where)S
2645(it)S
2710(is)S
2783(impossible)S
3097(to)S
3126 975(r)U
556 1053(s)U
556 975(allow)U
727(both)S
869(inbound)S
1110(and)S
1229(outbound)S
1502(traf\256c)S
1683(to)S
1758(a)S
1811(service)S
2021(without)S
2246(opening)S
2482(up)S
2572(gaping)S
2775(holes)S
2938(to)S
3013(othe)S
582 1053(ervices.)U
840(For)S
965(instance,)S
1230(without)S
1464(being)S
1643(able)S
1785(to)S
1869(consider)S
2125(both)S
2275(the)S
2388(source)S
2593(and)S
2721(destination)S
3042(port)S
556 1209(\()U
556 1131(numbers)U
812(of)S
896(a)S
954(given)S
1129(packet,)S
1346(you)S
1473(can't)S
1632(allow)S
1806(inbound)S
2050(SMTP)S
2251(connections)S
2593(to)S
2672(internal)S
2900(machines)S
578 1209(for)U
679(inbound)S
919(email\))S
1110(and)S
1229(outbound)S
1502(SMTP)S
1699(connections)S
2037(to)S
2112(all)S
2201(external)S
2436(machines)S
2708(\(so)S
2813(that)S
2935(you)S
3057(can)S
3130 1287(l)U
556 1365(m)U
556 1287(send)U
703(outbound)S
978(mail\))S
1142(without)S
1369(ending)S
1573(up)S
1664(allowing)S
1919(all)S
2009(connections)S
2348(between)S
2592(internal)S
2817(and)S
2937(externa)S
607 1365(achines)U
830(where)S
1017(both)S
1160(ends)S
1307(of)S
1388(the)S
1494(connection)S
1808(are)S
1914(on)S
2006(ports)S
2164(at)S
2237(or)S
2318(above)S
2501(port)S
2633(1024.)S
2829(To)S
2927(see)S
3036(this,)S
556 1521(\()U
556 1443(imagine)U
806(your)S
966(router's)S
1210(rule)S
1351(table)S
1517(has)S
1644(6)S
1716(variables)S
1992(for)S
2108(rules)S
2275(on)S
2379(a)S
2446(given)S
2630(interface:)S
2915(direction)S
578 1521(whether)U
820(the)S
930(packet)S
1131(is)S
1205(inbound)S
1451(to)S
1532(or)S
1617(outbound)S
1896(from)S
2054(internal)S
2283(network\),)S
2567(packet)S
2767(type)S
2909(\(UDP)S
3093(or)S
3126 1599(r)U
556 1677(r)U
556 1599(TCP\),)U
751(source)S
958(address,)S
1208(destination)S
1531(address,)S
1781(destination)S
2104(port,)S
2262(and)S
2391(action)S
2585(\(whether)S
2853(to)S
2938(drop)S
3093(o)S
578 1677(oute)U
726(the)S
841(packet\).)S
1108(You)S
1257(would)S
1457(need)S
1616(5)S
1683(rules)S
1845(in)S
1930(such)S
2085(a)S
2148(table)S
2309(to)S
2394(allow)S
2574(both)S
2725(inbound)S
2975(SMTP)S
3119 1755(e)U
556 1833(a)U
556 1755(\(where)U
762(an)S
847(external)S
1081(host)S
1214(connects)S
1466(to)S
1539(an)S
1623(internal)S
1845(host)S
1977(to)S
2050(send)S
2193(email\))S
2382(and)S
2499(outbound)S
2770(SMTP)S
2965(\(wher)S
585 1833(n)U
644(internal)S
870(host)S
1006(connects)S
1262(to)S
1339(any)S
1460(external)S
1697(host)S
1833(to)S
1910(send)S
2057(mail\).)S
2260(The)S
2388(rules)S
2542(would)S
2732(look)S
2874(something)S
556 1911(like)U
676(this:)S
3 F
706 2028(Rule)U
937(Direction)S
1299(Type)S
1541(SrcAddr)S
1886(DstAddr)S
2232(DstPort)S
2551(Action)S
1 F
2704 2106(t)U
748(A)S
937(in)S
1299(TCP)S
1541(external)S
1886(internal)S
2232(25)S
2551(permi)S
750 2184(B)U
937(out)S
1299(TCP)S
1541(internal)S
1886(external)S
4 F
2232(>)S
1 F
(=1024)R
2551(permit)S
2704 2262(t)U
748 2340(D)U
750 2262(C)U
937(out)S
1299(TCP)S
1541(internal)S
1886(external)S
2232(25)S
2551(permi)S
937 2340(in)U
1299(TCP)S
1541(external)S
1886(internal)S
4 F
2232(>)S
1 F
(=1024)R
2551(permit)S
556 2553(T)U
752 2418(E)U
937(either)S
1299(any)S
1541(any)S
1886(any)S
2232(any)S
2551(deny)S
596 2553(he)U
680(default)S
884(action)S
1066(\(rule)S
1212(E\),)S
1313(if)S
1375(none)S
1525(of)S
1602(the)S
1704(preceding)S
1985(rules)S
2135(apply,)S
2320(is)S
2386(to)S
2459(drop)S
2602(the)S
2704(packet.)S
3131 2652(,)U
556 2730(t)U
706 2652(Rules)U
885(A)S
962(and)S
1086(B,)S
1176(together,)S
1437(allow)S
1612(the)S
5 F
1721(")S
1 F
(inbound)R
5 F
(")R
1 F
2022(SMTP)S
2224(connections;)S
2585(for)S
2690(inbound)S
2934(packets)S
574 2730(he)U
661(source)S
858(address)S
1081(is)S
1150(an)S
5 F
1237(")S
1 F
(external)R
5 F
(")R
1 F
1529(address,)S
1769(the)S
1874(destination)S
2187(address)S
2410(is)S
5 F
2479(")S
1 F
(internal)R
5 F
(")R
1 F
(,)R
2777(and)S
2897(the)S
3002(desti-)S
556 2886(a)U
556 2808(nation)U
747(port)S
880(is)S
951(25,)S
1061(while)S
1234(for)S
1338(outbound)S
1614(packets,)S
1855(the)S
1962(source)S
2161(address)S
2385(is)S
5 F
2455(")S
1 F
(internal)R
5 F
(")R
1 F
(,)R
2754(the)S
2860(destination)S
585 2886(ddress)U
782(is)S
5 F
854(")S
1 F
(external)R
5 F
(")R
1 F
(,)R
1166(and)S
1289(the)S
1397(destination)S
1712(port)S
1845(is)S
1916(at)S
1990(or)S
2072(above)S
2256(1024.)S
2454(Rules)S
2631(C)S
2702(and)S
2824(D,)S
2916(together,)S
556 3042(b)U
556 2964(similarly)U
827(allow)S
1011(the)S
5 F
1129(")S
1 F
(outgoing)R
5 F
(")R
1 F
1457(SMTP)S
1668(connections.)S
2059(Consider,)S
2352(however,)S
2634(a)S
2701(TCP)S
2860(connection)S
589 3042(etween)U
808(an)S
903(internal)S
1136(host)S
1279(and)S
1407(an)S
1502(external)S
1746(host)S
1889(where)S
2083(both)S
2233(ports)S
2398(used)S
2552(in)S
2636(the)S
2748(connection)S
3068(are)S
556 3198(p)U
556 3120(above)U
746(1023.)S
950(Incoming)S
1235(packets)S
1465(for)S
1575(such)S
1729(a)S
1791(connection)S
2112(will)S
2246(be)S
2340(passed)S
2548(by)S
2646(rule)S
2780(D.)S
2899(Outgoing)S
589 3198(ackets)U
782(for)S
888(such)S
1038(a)S
1096(connection)S
1413(will)S
1544(be)S
1635(passed)S
1840(by)S
1935(rule)S
2066(B.)S
2178(The)S
2308(problem)S
2555(is)S
2627(that,)S
2770(while)S
2944(rules)S
3100(A)S
3115 3276(d)U
556 3354(D)U
556 3276(and)U
677(B)S
747(together)S
988(do)S
1080(what)S
1234(you)S
1359(want)S
1513(and)S
1634(rules)S
1788(C)S
1858(and)S
1979(D)S
2053(together)S
2293(do)S
2384(what)S
2537(you)S
2661(want,)S
2831(rules)S
2984(B)S
3053(an)S
634 3354(together)U
879(allow)S
1055(all)S
1149(connections)S
1492(between)S
1740(internal)S
1969(and)S
2093(external)S
2333(hosts)S
2498(where)S
2688(both)S
2834(ends)S
2984(of)S
3068(the)S
556 3510(o)U
556 3432(connection)U
867(are)S
970(on)S
1059(a)S
1110(port)S
1238(number)S
1461(above)S
1640(1024.)S
1833(Current)S
2056(\256lter)S
2202(speci\256cation)S
2556(syntaxes)S
2805(are)S
2907(ripe)S
3031(with)S
589 3510(pportunities)U
925(for)S
1024(such)S
1167(unexpected)S
1488(and)S
1605(undesired)S
1883(interacti)S
2097(ons.)S
3119 3609(e)U
556 3687(w)U
706 3609(If)U
780(source)S
982(port)S
1118(could)S
1294(be)S
1386(examined)S
1670(in)S
1750(making)S
1976(the)S
2085(routing)S
2304(decisions,)S
2595(the)S
2704(rule)S
2835(table)S
2991(abov)S
604 3687(ould)U
743(become:)S
3 F
706 3804(R)U
(ule)R
937(Direction)S
1299(Type)S
1541(SrcAddr)S
1886(DstAddr)S
2232(SrcPort)S
2550(DstPort)S
2869(Action)S
1 F
3022 3882(t)U
748(A)S
937(in)S
1299(TCP)S
2 F
1541(external)S
1886(internal)S
4 F
2232(>)S
1 F
(=1024)R
2550(25)S
2869(permi)S
750 3960(B)U
937(out)S
1299(TCP)S
2 F
1541(internal)S
1886(external)S
1 F
2232(25)S
4 F
2550(>)S
1 F
(=1024)R
2869(permit)S
3022 4038(t)U
748 4116(D)U
750 4038(C)U
937(out)S
1299(TCP)S
2 F
1541(internal)S
1886(external)S
4 F
2232(>)S
1 F
(=1024)R
2550(25)S
2869(permi)S
937 4116(in)U
1299(TCP)S
2 F
1541(external)S
1886(internal)S
1 F
2232(25)S
4 F
2550(>)S
1 F
(=1024)R
2869(permit)S
752 4194(E)U
937(either)S
1299(any)S
2 F
1541(any)S
1886(any)S
1 F
2232(any)S
2550(any)S
2869(deny)S
1791 4548(-)U
1835(8)S
1890(-)S
EP
%%Page: ? 9
BP
1 F
66 Z
706 486(I)U
(n)R
785(this)S
904(case,)S
1058(all)S
1147(the)S
1251(rules)S
1403(are)S
1507(\256rmly)S
1692(anchored)S
1957(to)S
2032(port)S
2162(25)S
2252(\(the)S
2378(well-known)S
2717(port)S
2847(number)S
3071(for)S
3130 564(l)U
556 642(c)U
556 564(SMTP\))U
778(at)S
852(one)S
974(end)S
1096(or)S
1178(the)S
1284(other,)S
1462(and)S
1583(you)S
1708(don't)S
1873(have)S
2023(the)S
2129(problem)S
2374(of)S
2455(inadvertentl)S
2768(y)S
2827(allowing)S
3083(al)S
585 642(onnections)U
896(where)S
1083(both)S
1226(ports)S
1384(are)S
1490(at)S
1563(or)S
1643(above)S
1825(1024.)S
2021(Consider)S
2284(again)S
2451(the)S
2556(example)S
2803(given)S
2974(above,)S
556 798(w)U
556 720(a)U
610(TCP)S
756(connection)S
1069(between)S
1313(an)S
1400(internal)S
1625(and)S
1745(an)S
1832(external)S
2068(host)S
2203(where)S
2389(both)S
2531(ends)S
2677(of)S
2756(the)S
2860(connection)S
604 798(ere)U
708(at)S
779(or)S
858(above)S
1039(1024;)S
1213(such)S
1358(a)S
1411(connection)S
1723(doesn't)S
1941(qualify)S
2151(with)S
2292(any)S
2411(of)S
2489(the)S
2592(above)S
2772(\256ltering)S
3003(rules,)S
3 F
556 1032(4)U
1 F
556 876(since)U
713(in)S
786(all)S
873(of)S
950(the)S
1052(above)S
1231(rules,)S
1398(one)S
1515(end)S
1632(of)S
1709(the)S
1811(connection)S
2121(has)S
2231(to)S
2304(be)S
2388(at)S
2457(port)S
2585(25.)S
3 F
589 1032(.3.)U
700(Special)S
923(handling)S
1195(of)S
1272(start-of-connection)S
1829(packets)S
2064(is)S
2130(impossible)S
1 F
3115 1131(g)U
556 1209(a)U
706 1131(Note)U
858(that)S
980(the)S
1084(even)S
1232(the)S
1336(above)S
1516(\256lters)S
1689(with)S
1829(source)S
2024(port)S
2153(still)S
2274(don't)S
2436(protect)S
2641(your)S
2785(servers)S
2995(livin)S
585 1209(t)U
628(or)S
708(above)S
890(port)S
1021(1024)S
1178(from)S
1331(an)S
1418(attack)S
1599(launched)S
1861(from)S
2014(port)S
2145(25)S
2236(on)S
2327(an)S
2414(external)S
2650(machine)S
2897(\(which)S
3104(is)S
556 1365(f)U
556 1287(certainly)U
816(possible)S
1063(if)S
1134(the)S
1245(person)S
1452(making)S
1680(the)S
1791(attack)S
1977(controls)S
2219(the)S
2329(machine)S
2581(the)S
2691(attack)S
2877(is)S
2951(coming)S
578 1365(rom\);)U
747(rules)S
898(C)S
965(and)S
1083(D)S
1154(will)S
1279(allow)S
1448(this.)S
1605(One)S
1738(way)S
1871(to)S
1945(defeat)S
2128(this)S
2246(type)S
2382(of)S
2460(attack)S
2638(is)S
2704(to)S
2777(suppress)S
3027(TCP)S
3126 1443(r)U
556 1521(i)U
556 1443(start-of-connecti)U
990(on)S
1081(packets)S
1303(\(packets)S
1547(with)S
1689(the)S
1794(TCP)S
5 F
1940(")S
1 F
(SYN)R
5 F
2101(")S
1 F
2154(\257ag)S
2278(set\))S
2398(in)S
2474(rule)S
2601(C;)S
2688(at)S
2760(least)S
2905(one)S
3024(\256lte)S
574 1521(mplementa)U
865(tion)S
1001(provides)S
1262(a)S
1325(mechanism)S
1658(for)S
1769(stating)S
1978(that)S
2110(rules)S
2272(apply)S
2 F
2452(only)S
1 F
2598(to)S
2682(packets)S
2912(in)S
5 F
2996(")S
1 F
(esta-)R
556 1599(blished)U
5 F
(")R
1 F
796(connections)S
1132(\(those)S
1315(packets)S
1534(without)S
1757(the)S
1859(SYN)S
2014(bit)S
2105(set\))S
2222([Cisco90].)S
706 1698(Unfortunately,)U
1144(UDP)S
1329(sessions)S
1598(are)S
5 F
1730(")S
1 F
(connectionless)R
5 F
(")R
1 F
(,)R
2242(so)S
2353(there)S
2536(is)S
2631(never)S
2828(a)S
5 F
2908(")S
1 F
(start-of-)R
556 1854(d)U
556 1776(connection)U
5 F
(")R
1 F
899(packet)S
1097(that)S
1222(can)S
1340(be)S
1429(suppressed)S
1745(in)S
1822(a)S
1877(UDP)S
2036(session.)S
2292(A)S
2366(solution)S
2604(for)S
2707(UDP)S
2866(is)S
2936(often)S
3097(to)S
589 1854(isallow)U
807(UDP)S
968(entirely)S
1196(except)S
1394(for)S
1498(a)S
1554(speci\256c)S
1782(exception)S
2064(for)S
2168(DNS.)S
2367(This)S
2511(exception)S
2793(for)S
2897(DNS)S
3057(can)S
3119 1932(e)U
556 2010(o)U
556 1932(generally)U
824(be)S
910(made)S
1076(safely)S
1257(even)S
1404(with)S
1544(a)S
1596(\256ltering)S
1827(implement)S
2107(ation)S
2261(that)S
2382(ignores)S
2599(source)S
2794(port,)S
2940(becaus)S
589 2010(f)U
637(a)S
692(quirk)S
857(in)S
934(the)S
1040(most)S
1194(common)S
1450(DNS)S
1609(implement)S
1889(ation.)S
2085(The)S
2212(quirk)S
2376(causes)S
2573(DNS)S
2731(server-to-server)S
556 2166(r)U
556 2088(queries)U
776(made)S
948(over)S
1095(UDP)S
1257(to)S
1337(always)S
1549(use)S
1666(port)S
1801(53)S
1896(at)S
1972(both)S
2118(ends)S
2268(of)S
2352(the)S
2461(connection,)S
2795(rather)S
2977(than)S
3119(a)S
578 2166(andom)U
783(port)S
915(at)S
988(one)S
1109(end.)S
1269(Disallowing)S
1617(UDP)S
1776(except)S
1973(for)S
2076(DNS)S
2235(also)S
2367(allows)S
2565(you)S
2690(to)S
2767(avoid)S
2939(most)S
3093(of)S
3130 2244(t)U
556 2322(a)U
556 2244(the)U
662(problems)S
933(with)S
1076(\256ltering)S
1309(RPC-based)S
1631(services)S
1868(\(since)S
2050(most)S
2203(RPC)S
2353(services)S
2590(are)S
2695(UDP)S
2853(based\))S
3050(tha)S
585 2322(re)U
658(discussed)S
933(in)S
1006(Section)S
1225(4.6.)S
3 F
556 2478(4)U
(.4.)R
700(Tabular)S
953(\256ltering)S
1198(rule)S
1333(structures)S
1641(are)S
1754(too)S
1864(cumbersome)S
1 F
3122 2577(s)U
556 2655(e)U
706 2577(While)U
901(tabular)S
1118(rule)S
1255(structures)S
1546(such)S
1702(as)S
1792(those)S
1965(shown)S
2172(above)S
2363(are)S
2477(relativel)S
2691(y)S
2758(easy)S
2909(and)S
3038(thu)S
585 2655(f\256cient)U
810(for)S
926(the)S
1045(router)S
1240(to)S
1329(parse)S
1506(and)S
1639(apply,)S
1840(they)S
1991(rapidly)S
2215(become)S
2457(too)S
2579(cumbersome)S
2953(for)S
3068(the)S
3126 2733(-)U
556 2811(c)U
556 2733(administrator)U
930(to)S
1005(use)S
1117(to)S
1192(specify)S
1406(complex)S
1656(independent)S
2001(\256ltering)S
2233(requirements.)S
2639(Even)S
2797(simple)S
2995(appli)S
585 2811(ations)U
772(of)S
857(these)S
1022(cumbersome)S
1387(syntaxes)S
1643(are)S
1752(dif\256cult,)S
2006(and)S
2130(often)S
2294(have)S
2447(unintended)S
2768(and)S
2892(undesired)S
3 F
556 3045(4)U
1 F
556 2889(side)U
684(effects,)S
898(as)S
975(demonstrated)S
1351(in)S
1424(Section)S
1643(4.2.)S
3 F
589 3045(.5.)U
700(Testing)S
931(and)S
1060(monitoring)S
1397(\256lters)S
1580(is)S
1646(dif\256cult)S
1 F
706 3144(W)U
(ith)R
860(many)S
1029(router)S
1209(products,)S
1476(the)S
1579(beleagured)S
1890(administrator's)S
2311(life)S
2421(is)S
2488(further)S
2689(complicat)S
2947(ed)S
3031(by)S
3119(a)S
3122 3222(s)U
556 3300(m)U
556 3222(lack)U
691(of)S
772(built-in)S
991(mechanisms)S
1342(to)S
1419(test)S
1536(the)S
1642(\256lter)S
1792(set)S
1891(or)S
1972(to)S
2049(monitor)S
2283(its)S
2371(performance)S
2729(in)S
2806(action.)S
3031(Thi)S
607 3300(akes)U
749(it)S
810(very)S
952(dif\256cult)S
1185(to)S
1261(debug)S
1447(and)S
1567(validate)S
1799(\256ltering)S
2032(rule)S
2159(sets,)S
2300(or)S
2380(to)S
2456(modify)S
2671(existing)S
2904(rule)S
3031(sets;)S
556 3456(i)U
556 3378(the)U
661(administrator)S
1036(always)S
1244(has)S
1357(to)S
1433(wonder)S
1656(if)S
1721(the)S
1825(\256ltering)S
2057(rules)S
2209(are)S
2313(really)S
2486(accomplishing)S
2893(what)S
3045(was)S
574 3456(ntended,)U
825(or)S
906(if)S
972(the)S
1078(rule)S
1206(set)S
1305(has)S
1419(some)S
1584(inadvertent)S
1904(hole)S
2042(in)S
2118(it)S
2179(that)S
2302(the)S
2407(administrator)S
2782(has)S
2895(somehow)S
3 F
556 3690(4)U
1 F
556 3534(overlooked.)U
3 F
589 3690(.6.)U
700(RPC)S
858(is)S
924(very)S
1070(dif\256cult)S
1312(to)S
1389(\256lter)S
1546(effectively)S
1 F
706 3789(F)U
(inally,)R
939(RPC-based)S
1266(protocols)S
1541(offer)S
1699(a)S
1758(special)S
1970(challenge,)S
2268(since)S
2433(they)S
2576(don't)S
2744(reliably)S
2973(appear)S
3130 3867(t)U
556 3945(a)U
556 3867(on)U
645(a)S
697(given)S
865(UDP)S
1020(or)S
1097(TCP)S
1240(port)S
1368(number.)S
1630(The)S
1754(only)S
1893(RPC-related)S
2240(service)S
2448(that)S
2568(is)S
2634(guaranteed)S
2944(to)S
3017(be)S
3101(a)S
609 3945(certain)U
811(port)S
940(is)S
1007(the)S
5 F
1110(")S
1 F
(portmapper)R
5 F
(")R
1 F
1492(service.)S
1740(Portmapper)S
2070(maps)S
2232(an)S
2317(RPC)S
2465(service)S
2674(number)S
2898(\(which)S
3104(is)S
3126 4023(-)U
556 4101(v)U
556 4023(a)U
611(32-bit)S
794(number)S
1020(assigned)S
1272(by)S
1363(Sun)S
1491(Microsystems)S
1886(to)S
1962(each)S
2107(individual)S
2398(RPC)S
2548(service,)S
2776(including)S
3049(ser)S
589 4101(ices)U
720(created)S
938(by)S
1033(users)S
1198(and)S
1321(other)S
1484(vendors\))S
1743(to)S
1822(the)S
1930(particular)S
2209(TCP)S
2358(or)S
2441(UDP)S
2602(port)S
2736(number)S
2965(\(which)S
3119 4179(e)U
556 4257(b)U
556 4179(are)U
662(much)S
834(smaller)S
1053(16-bit)S
1236(numbers\))S
1511(that)S
1635(the)S
1741(service)S
1953(is)S
2023(currently)S
2286(using)S
2454(on)S
2545(the)S
2650(particular)S
2926(machin)S
589 4257(eing)U
739(queried.)S
1012(When)S
1206(an)S
1305(RPC-based)S
1639(service)S
1862(starts)S
2038(up,)S
2158(it)S
2230(registers)S
2489(with)S
2642(the)S
2758(portmapper)S
3097(to)S
3115 4335(o)U
556(announce)S
836(what)S
992(port)S
1126(it)S
1190(is)S
1262(living)S
1443(at;)S
1536(the)S
1644(portmapper)S
1975(then)S
2115(passes)S
2311(this)S
2433(info)S
2566(along)S
2739(to)S
2817(anyone)S
3034(wh)S
1791 4548(-)U
1835(9)S
1890(-)S
EP
%%Page: ? 10
BP
1 F
66 Z
556 486(requests)U
794(it.)S
706 585(The)U
836(portmapper)S
1167(isn't)S
1312(required)S
1559(in)S
1638(order)S
1805(to)S
1884(establish)S
2142(an)S
2232(RPC)S
2385(connection,)S
2718(except)S
2917(to)S
2995(deter-)S
3130 663(t)U
556 741(t)U
556 663(mine)U
712(exactly)S
926(which)S
1112(port)S
1243(to)S
1319(establish)S
1574(the)S
1679(connection)S
1992(to;)S
2086(if)S
2151(you)S
2275(know)S
2447(\(or)S
2549(can)S
2664(guess\))S
2857(which)S
3042(por)S
574 741(o)U
636(establish)S
895(the)S
1004(connection)S
1321(to,)S
1418(you)S
1546(can)S
1665(bypass)S
1873(the)S
1981(portmapper)S
2312(altogether.)S
2641(What)S
2811(port)S
2945(a)S
3002(given)S
556 897(e)U
556 819(RPC)U
707(protocol)S
952(\(such)S
1121(as)S
1202(YP/NIS,)S
1455(NFS,)S
1620(or)S
1701(any)S
1822(of)S
1903(a)S
1958(number)S
2185(of)S
2265(others\))S
2473(ends)S
2619(up)S
2710(using)S
2878(is)S
2947(random)S
585 897(nough)U
774(that)S
896(the)S
1000(administrator)S
1374(can't)S
1529(effectivel)S
1776(y)S
1833(specify)S
2047(\256lters)S
2221(for)S
2322(it)S
2382(\(at)S
2474(least,)S
2634(not)S
2741(without)S
2965(risking)S
3119 975(e)U
556 1053(a)U
556 975(the)U
673(inadvertent)S
1005(\256ltering)S
1250(of)S
1342(something)S
1653(else)S
1792(that)S
1927(happened)S
2216(to)S
2304(end)S
2435(up)S
2537(on)S
2639(the)S
2755(same)S
2926(port)S
3068(th)S
585 1053(dministrator)U
943(thought)S
1181(an)S
1280(RPC-based)S
1614(service)S
2 F
1837(might)S
1 F
2024(end)S
2156(up)S
2258(at\),)S
2380(but)S
2500(not)S
2620(so)S
2715(random)S
2952(that)S
3086(an)S
3119 1131(a)U
556 1209(s)U
556 1131(attacker)U
787(can't)S
942(easily)S
5 F
1119(")S
1 F
(guess)R
5 F
(")R
1 F
1346(where)S
1531(a)S
1584(given)S
1753(protocol)S
1995(lives.)S
2181(Even)S
2339(if)S
2402(they)S
2538(can't)S
2692(or)S
2770(don't)S
2932(guess,)S
582 1209(ystematic)U
866(search)S
1067(of)S
1154(the)S
1266(entire)S
1447(port)S
1585(number)S
1818(space)S
1996(for)S
2105(the)S
2217(RPC)S
2374(service)S
2592(they're)S
2810(interested)S
3097(in)S
3115 1287(g)U
556 1365(i)U
556 1287(attacking)U
828(is)S
904(not)S
1020(that)S
1149(dif\256cult.)S
1427(Since)S
1604(RPC-based)S
1932(services)S
2175(might)S
2359(be)S
2452(on)S
2549(any)S
2675(port,)S
2829(the)S
2940(\256lterin)S
574 1365(mplementa)U
865(tion)S
1000(has)S
1121(no)S
1220(sure)S
1363(way)S
1506(of)S
1594(recognizing)S
1937(what)S
2098(is)S
2175(and)S
2303(what)S
2464(isn't)S
2614(RPC;)S
2789(as)S
2876(far)S
2981(as)S
3068(the)S
556 1443(router)U
735(is)S
801(concerned,)S
1110(it's)S
1216(all)S
1303(just)S
1420(UDP)S
1575(or)S
1652(TCP)S
1795(traf\256c.)S
706 1542(Two)U
856(fortuitous)S
1141(characteri)S
1399(stics)S
1545(of)S
1629(most)S
1786(RPC-based)S
2111(services)S
2351(can)S
2470(be)S
2560(used)S
2709(to)S
2788(save)S
2933(us)S
3020(from)S
3119 1620(e)U
556 1698(c)U
556 1620(this)U
679(morass,)S
911(however.)S
1205(First,)S
1371(most)S
1527(RPC-based)S
1852(services)S
2091(are)S
2198(offered)S
2415(as)S
2497(only)S
2641(on)S
2734(UDP)S
2894(ports;)S
3071(w)S
585 1698(an)U
672(simply)S
876(drop)S
1022(UDP)S
1180(packets)S
1402(altogether)S
1689(except)S
1885(for)S
1987(DNS,)S
2162(as)S
2242(described)S
2518(above.)S
2738(Second,)S
2973(almost)S
5 F
556 1854(")U
1 F
556 1776(all)U
645(of)S
724(those)S
887(that)S
1009(are)S
1113(offered)S
1327(on)S
1417(TCP)S
1562(ports)S
1718(use)S
1830(ports)S
1986(below)S
2171(1024,)S
2344(which)S
2529(can)S
2644(be)S
2730(protected)S
2997(by)S
3086(an)S
584 1854(deny)U
735(all)S
823(ports)S
977(below)S
1160(1024)S
1314(except)S
1507(speci\256c)S
1730(services)S
1964(like)S
2084(SMTP)S
5 F
(")R
1 F
2307(type)S
2442(of)S
2519(\256lter,)S
2682(such)S
2825(as)S
2902(shown)S
3097(in)S
3 F
556 2088(5)U
1 F
556 1932(the)U
658(example)S
902(in)S
975(Section)S
1194(4.2.)S
3 F
589 2088(.)U
650(Possible)S
899(Solutions)S
1182(for)S
1288(Current)S
1541(Packet)S
1753(Filtering)S
2019(Problems)S
556 2244(5.1.)U
700(Improve)S
964(\256lter)S
1121(speci\256cation)S
1491(syntax)S
1 F
706 2343(The)U
833(major)S
1011(improvement)S
1386(that)S
1509(could)S
1680(be)S
1767(made)S
1934(to)S
2010(many)S
2181(vendor)S
2389(packet)S
2585(\256ltering)S
2817(implement)S
3097(a-)S
556 2499(a)U
556 2421(tions)U
712(would)S
905(be)S
994(to)S
1072(provide)S
1300(better)S
1476(\256lter)S
1627(speci\256cation)S
1986(mechanisms.)S
2377(The)S
2506(administrator)S
2883(should)S
3086(be)S
585 2499(ble)U
693(to)S
772(specify)S
990(rules)S
1146(in)S
1225(a)S
1282(form)S
1438(that)S
1564(makes)S
1760(sense)S
1931(to)S
2009(the)S
2116(administrator)S
2493(\(such)S
2663(as)S
2745(a)S
2801(propositional)S
556 2655(t)U
556 2577(logic)U
716(syntax\),)S
956(not)S
1069(necessarily)S
1389(a)S
1446(form)S
1602(that)S
1728(is)S
1800(ef\256cient)S
2043(for)S
2148(the)S
2256(router)S
2441(to)S
2520(process;)S
2764(the)S
2872(router)S
3057(can)S
574 2655(hen)U
701(convert)S
930(the)S
1042(rules)S
1202(from)S
1362(the)S
1474(high-level)S
1772(form)S
1932(to)S
2015(a)S
2076(form)S
2236(amenable)S
2519(to)S
2602(ef\256cient)S
2849(processing.)S
556 2811(s)U
556 2733(One)U
694(possibility)S
996(might)S
1177(be)S
1267(the)S
1375(creation)S
1614(of)S
1697(a)S
5 F
1754(")S
1 F
(\256lter)R
1934(compiler)S
5 F
(")R
1 F
2223(that)S
2349(accepts)S
2570(\256lters)S
2748(in)S
2826(a)S
2882(high-level)S
582 2811(yntax)U
764(that)S
898(was)S
1037(convenient)S
1361(for)S
1474(the)S
1589(administrator,)S
1991(and)S
2121(emits)S
2298(a)S
5 F
2362(")S
1 F
(compiled)R
5 F
(")R
1 F
2697(\256lter)S
2856(list)S
2971(that)S
3104(is)S
556 2889(acceptabl)U
803(e)S
854(to)S
927(the)S
1029(router.)S
706 2988(Addressing)U
1034(the)S
1141(conceptual)S
1452(mismatch)S
1734(between)S
1980(administrators,)S
2400(who)S
2540(think)S
2701(in)S
2778(terms)S
2950(of)S
3031(con-)S
556 3144(d)U
556 3066(nections,)U
820(and)S
943(routers,)S
1171(which)S
1360(operate)S
1581(in)S
1660(terms)S
1834(of)S
1917(the)S
2025(packets)S
2250(making)S
2475(up)S
2569(those)S
2735(connections,)S
3093(as)S
589 3144(iscussed)U
831(in)S
904(Section)S
1123(4.1,)S
1245(might)S
1420(also)S
1548(prove)S
1720(valuable.)S
3 F
2385 3300(a)U
556(5.2.)S
700(Make)S
883(all)S
974(relevant)S
1226(header)S
1442(\256elds)S
1611(available)S
1885(as)S
1966(\256ltering)S
2211(criteri)S
1 F
706 3399(The)U
834(administrator)S
1210(should)S
1412(be)S
1499(able)S
1633(to)S
1709(specify)S
1924(all)S
2014(relevant)S
2250(header)S
2450(\256elds,)S
2635(particularl)S
2904(y)S
2962(includ-)S
3126 3477(-)U
556 3555(t)U
556 3477(ing)U
669(TCP/UDP)S
970(source)S
1171(port)S
1306(\(which)S
1518(is)S
1591(currently)S
1857(often)S
2021(omitted)S
2250(from)S
2407(many)S
2581(\256ltering)S
2817(implement)S
3097(a)S
574 3555(ions\),)U
751(as)S
834(\256lter)S
986(criteria.)S
1216(Until)S
1379(this)S
1502(key)S
1625(feature)S
1835(is)S
1907(provided,)S
2186(it)S
2250(will)S
2379(be)S
2468(dif\256cult)S
2703(or)S
2785(impossible)S
3097(to)S
3126 3633(-)U
556 3711(t)U
556 3633(effectivel)U
803(y)S
864(use)S
980(\256ltering)S
1216(in)S
1295(certain)S
1501(common)S
1759(situations,)S
2056(as)S
2138(demonstrated)S
2519(in)S
2597(the)S
2704(example)S
2953(in)S
3031(Sec)S
574 3711(ion)U
687(4.2.)S
838(The)S
969(administrator)S
1348(should)S
1553(also)S
1688(be)S
1779(able)S
1917(to)S
1997(specify)S
2216(whether)S
2457(a)S
2515(\256lter)S
2668(rule)S
2798(should)S
3002(apply)S
3 F
556 3945(5)U
1 F
556 3789(only)U
695(to)S
768(established)S
1082(TCP)S
1225(connections.)S
3 F
589 3945(.3.)U
700(Allow)S
887(inbound)S
1145(\256lters)S
1328(as)S
1409(well)S
1544(as)S
1625(outbound)S
1920(\256lters)S
1 F
3115 4044(h)U
556 4122(i)U
706 4044(The)U
838(administrator)S
1218(should)S
1424(be)S
1516(able)S
1655(to)S
1736(specify)S
1956(both)S
2103(inbound)S
2349(and)S
2474(outbound)S
2753(\256lters)S
2933(on)S
3028(eac)S
574 4122(nterface,)U
827(rather)S
1005(than)S
1143(only)S
1285(outbound)S
1559(\256lters.)S
1773(This)S
1915(would)S
2105(allow)S
2276(the)S
2381(administrator)S
2756(to)S
2832(position)S
3068(the)S
556 4278(s)U
556 4200(router)U
746(either)S
5 F
928(")S
1 F
(inside)R
5 F
(")R
1 F
1174(or)S
5 F
1261(")S
1 F
(outside)R
5 F
(")R
1 F
1539(the)S
1651(\256ltering)S
5 F
1891(")S
1 F
(fence)R
5 F
(")R
1 F
(,)R
2138(as)S
2225(appropriate.)S
2595(It)S
2667(would)S
2864(also)S
3002(allow)S
582 4278(impler)U
776(speci\256cation)S
1131(of)S
1209(\256lters)S
1382(on)S
1471(routers)S
1677(with)S
1817(more)S
1975(than)S
2110(two)S
2231(interfaces)S
2508(by)S
2596(allowing)S
2848(some)S
3009(cases)S
556 4356(\(such)U
735(as)S
825(a)S
889(packet)S
1095(appearing)S
1389(from)S
1552(the)S
1667(outside)S
1892(world)S
2081(that)S
2214(purports)S
2469(to)S
2555(be)S
2652(both)S
2804(to)S
2890(and)S
3020(from)S
1775 4548(-)U
1819(10)S
1907(-)S
EP
%%Page: ? 11
BP
1 F
66 Z
3115 486(n)U
556 564(h)U
556 486(internal)U
782(hosts\))S
966(to)S
1043(be)S
1131(handled)S
1364(by)S
1455(the)S
1560(inbound)S
1801(set)S
1899(of)S
1979(\256lters)S
2154(on)S
2245(the)S
2350(external)S
2586(interface,)S
2857(rather)S
3035(tha)S
589 564(aving)U
764(to)S
844(duplicate)S
1113(these)S
1277(special)S
1488(cases)S
1656(into)S
1787(the)S
1896(outbound)S
2174(\256lter)S
2327(set)S
2429(on)S
2524(each)S
2673(internal)S
2902(interface.)S
556 720(f)U
556 642(The)U
688(desired)S
908(functionalit)S
1210(y)S
1273(may)S
1415(not)S
1528(even)S
1681(be)S
1772(possible)S
2017(with)S
2163(only)S
2309(outbound)S
2587(\256lters;)S
2784(the)S
2893(case)S
3035(of)S
3119(a)S
578 720(ake)U
700(internal-to-i)S
1013(nternal)S
1226(packet)S
1428(showing)S
1683(up)S
1779(on)S
1875(the)S
1985(external)S
2226(interface,)S
2502(as)S
2587(discussed)S
2870(in)S
2951(Section)S
3 F
556 954(5)U
1 F
556 798(2.4.2,)U
728(can't)S
881(be)S
965(detected)S
1205(in)S
1278(an)S
1362(outbound)S
1633(\256lter)S
1779(set.)S
3 F
589 954(.4.)U
700(Provide)S
941(tools)S
1095(for)S
1201(developing,)S
1544(testing,)S
1770(and)S
1899(monitoring)S
2236(\256lters)S
1 F
3122 1053(s)U
556 1131(a)U
706 1053(Better)U
893(tools)S
1048(for)S
1152(developing,)S
1488(testing)S
1690(and)S
1812(validating)S
2101(rule)S
2230(sets,)S
2373(perhaps)S
2605(including)S
2880(test)S
2998(suite)S
585 1131(nd)U
683(automatic)S
973(test)S
1096(probe)S
1278(generators,)S
1600(would)S
1796(make)S
1969(a)S
2029(big)S
2144(difference)S
2441(in)S
2523(the)S
2634(usability)S
2891(of)S
2977(packet)S
556 1287(p)U
556 1209(\256ltering)U
791(mechanisms.)S
1182(Such)S
1341(an)S
1430(automated)S
1730(test)S
1848(system)S
2058(might)S
2238(well)S
2377(be)S
2465(a)S
2520(part)S
2648(of)S
2729(the)S
5 F
2835(")S
1 F
(\256lter)R
3013(com-)S
589 1287(iler)U
5 F
(")R
1 F
726(described)S
1000(in)S
1073(Section)S
1292(5.1.)S
3 F
1806 1443(s)U
556(5.5.)S
700(Simplify)S
960(speci\256cation)S
1330(of)S
1407(common)S
1671(\256lter)S
1 F
706 1542(It)U
776(would)S
971(be)S
1063(useful)S
1254(if)S
1324(administrators)S
1730(could)S
1905(specify)S
2124(common)S
2383(\256ltering)S
2620(cases)S
2788(\(for)S
2916(instance,)S
556 1698(t)U
5 F
556 1620(")U
1 F
(allow)R
755(inbound)S
996(SMTP)S
1194(to)S
1270(this)S
1390(single)S
1572(host)S
5 F
(")R
1 F
(\))R
1757(simply,)S
1978(without)S
2203(having)S
2406(to)S
2481(understand)S
2794(the)S
2898(details)S
3093(of)S
574 1698(he)U
658(protocols)S
925(or)S
1002(\256ltering)S
1232(mechanisms)S
1579(involved.)S
3 F
556 1854(6.)U
650(Conclusions)S
1 F
706 1953(Packet)U
907(\256ltering)S
1141(is)S
1211(currently)S
1474(a)S
1529(viable)S
1715(and)S
1835(valuable)S
2082(network)S
2323(security)S
2556(tool,)S
2700(but)S
2809(some)S
2973(simple)S
556 2109(t)U
556 2031(vendor)U
762(improvements)S
1161(could)S
1330(have)S
1477(a)S
1528(big)S
1634(impact.)S
1873(There)S
2048(are)S
2150(several)S
2358(critical)S
2561(de\256ciencies)S
2893(that)S
3013(seem)S
574 2109(o)U
639(be)S
733(common)S
995(to)S
1078(many)S
1256(vendors,)S
1514(such)S
1667(as)S
1754(the)S
1866(inability)S
2116(to)S
2199(consider)S
2454(source)S
2657(TCP/UDP)S
2960(port)S
3097(in)S
3115 2187(d)U
556 2265(g)U
556 2187(\256lters,)U
747(that)S
869(need)S
1017(to)S
1092(be)S
1178(addressed.)S
1501(Other)S
1675(improvements)S
2075(to)S
2150(\256lter)S
2298(speci\256cation)S
2654(mechanisms)S
3002(coul)S
589 2265(reatly)U
768(simplify)S
1017(the)S
1126(lives)S
1279(of)S
1363(network)S
1608(administrators)S
2013(trying)S
2199(to)S
2279(use)S
2396(packet)S
2596(\256ltering)S
2833(capabilit)S
3058(ies,)S
3 F
556 2499(7)U
1 F
556 2343(and)U
673(increase)S
910(their)S
1052(con\256dence)S
1359(that)S
1479(their)S
1621(\256lters)S
1793(are)S
1895(doing)S
2067(what)S
2217(they)S
2352(think)S
2509(they)S
2644(are.)S
3 F
589 2499(.)U
650(Acknowledgements)S
1 F
706 2598(T)U
(hanks)R
937(to)S
1025(Steve)S
1207(Bellovin)S
1469(and)S
1600(Bill)S
1734(Cheswick)S
2030(of)S
2121(AT&T)S
2336(Bell)S
2481(Laboratories)S
2849(for)S
2962(several)S
556 2754(l)U
556 2676(lively)U
734(and)S
858(fruitful)S
1073(discussions)S
1403(of)S
1487(packet)S
1687(\256ltering)S
1924(as)S
2008(a)S
2066(network)S
2311(security)S
2548(tool;)S
2696(in)S
2775(particular,)S
3071(I'd)S
574 2754(ike)U
688(to)S
773(thank)S
953(Steve)S
1133(for)S
1243(providing)S
1532(me)S
1645(with)S
1795(prepublicati)S
2108(on)S
2207(copies)S
2408(of)S
2496(two)S
2628(of)S
2716(his)S
2826(IP)S
2918(security-)S
3126 2832(f)U
556 2910(t)U
556 2832(related)U
761(papers)S
960(and)S
1082(of)S
1164(his)S
1268(1989)S
1427(article)S
1617(on)S
1709(TCP/IP)S
1933(security)S
2167(problems.)S
2477(Thanks)S
2697(to)S
2774(Ed)S
2873(DeHart)S
3093(o)S
574 2910(he)U
661(Computer)S
949(Emergency)S
1273(Response)S
1551(Team)S
1725(for)S
1827(strongly)S
2068(and)S
2188(repeatedly)S
2485(encouraging)S
2834(me)S
2938(to)S
3013(write)S
556 3066(Z)U
556 2988(this)U
680(paper)S
855(after)S
1004(listening)S
1259(to)S
1338(me)S
1446(moan)S
1620(about)S
1794(the)S
1902(issues)S
2088(discussed)S
2369(herein.)S
2600(Thanks)S
2822(to)S
2901(Elizabet)S
3115(h)S
596 3066(wicky)U
780(of)S
858(SRI)S
984(International)S
1319(,)S
1359(Brian)S
1528(Lloyd)S
1708(of)S
1786(Lloyd)S
1965(&)S
2038(Associates,)S
2359(and)S
2476(Steve)S
2644(Bellovin)S
2892(of)S
2969(AT&T)S
3115 3144(d)U
556 3222(s)U
556 3144(Bell)U
704(Laboratories)S
1075(for)S
1191(reviewing)S
1493(drafts)S
1681(of)S
1774(this)S
1907(paper)S
2091(and)S
2224(providing)S
2518(valuable)S
2778(feedback)S
3053(an)S
582 3222(uggestions.)U
3 F
931 3378(s)U
1 F
556 3477([)U
3 F
556 3378(8.)U
650(Reference)S
1 F
578 3477(Bellovin89])U
706 3555(S)U
(.)R
787(M.)S
890(Bellovin,)S
5 F
1160(")S
1 F
(Security)R
1434(Problems)S
1710(in)S
1788(the)S
1895(TCP/IP)S
2120(Protocol)S
2370(Suite)S
5 F
(")R
1 F
(;)R
2 F
2578(Computer)S
2869(Communi-)S
1 F
556 3732([)U
2 F
706 3633(cations)U
918(Review)S
1 F
(,)R
1146(Volume)S
1380(9,)S
1452(Number)S
1690(2;)S
1763(April)S
1924(1989;)S
2096(pp.)S
2223(32-48.)S
578 3732(Bellovin92a])U
706 3810(S)U
(teven)R
907(M.)S
1005(Bellovin,)S
5 F
1270(")S
1 F
(Packets)R
1521(Found)S
1712(on)S
1800(an)S
1884(Internet)S
5 F
(")R
1 F
(;)R
2156(in)S
2229(preparation;)S
2568(1992.)S
556 3909([Bellovin92b])U
706 3987(Steven)U
909(M.)S
1009(Bellovin,)S
5 F
1276(")S
1 F
(There)R
1481(Be)S
1578(Dragons)S
5 F
(")R
1 F
(;)R
2 F
1872(Proceedings)S
2225(of)S
2300(the)S
2404(Third)S
2575(USENIX)S
2825(UNIX)S
3002(Secu-)S
706 4065(rity)U
819(Symposium)S
1 F
(;)R
1160(Baltimore,)S
1461(MD;)S
1608(September,)S
1928(1992.)S
776 4164(])U
556([Ches90)S
706 4242(Bill)U
831(Cheswick,)S
5 F
1135(")S
1 F
(The)R
1292(Design)S
1506(of)S
1587(a)S
1642(Secure)S
1847(Internet)S
2077(Gateway)S
5 F
(")R
1 F
(;)R
2 F
2383(Proceedings)S
2738(of)S
2815(the)S
2921(USENIX)S
706 4320(Summer)U
945(1990)S
1099(Conference)S
1 F
(;)R
1442(Anaheim,)S
1722(CA;)S
1854(June)S
1997(11-15,)S
2190(1990;)S
2362(pp.)S
2467(233-237.)S
1775 4548(-)U
1819(11)S
1907(-)S
EP
%%Page: ? 12
BP
1 F
66 Z
556 486([CHS91])U
706 564(Bruce)U
904(Corbridge,)S
1229(Robert)S
1449(Henig,)S
1668(Charles)S
1910(Slater,)S
5 F
2121(")S
1 F
(Packet)R
2365(Filtering)S
2631(in)S
2722(an)S
2824(IP)S
2923(Router)S
5 F
(")R
1 F
(;)R
2 F
706 720(e)U
706 642(Proceedings)U
1064(of)S
1144(the)S
1253(Fifth)S
1409(USENIX)S
1665(Large)S
1851(Installation)S
2182(and)S
2309(System)S
2520(Administration)S
2943(Confer-)S
735 720(nce)U
848(\(LISA)S
1024(V\))S
1 F
(;)R
1126(San)S
1247(Diego,)S
1447(CA;)S
1579(October,)S
1830(1992;)S
2002(pp.)S
2107(227-232.)S
556 819([Cisco90])U
706 897(Cisco)U
893(Systems)S
1150(\(Menlo)S
1380(Park,)S
1554(CA\);)S
5 F
1722(")S
1 F
(Gateway)R
2020(System)S
2250(Manual;)S
2505(Software)S
2779(Release)S
3019(8.2)S
5 F
(")R
1 F
(;)R
706 975(1990.)U
795 1074(])U
556([CMQ92)S
706 1152(Smoot)U
906(Carl-Mitchell)S
1290(and)S
1412(John)S
1564(S.)S
1645(Quarterman,)S
5 F
2003(")S
1 F
(Building)R
2288(Internet)S
2519(Firewalls)S
5 F
(")R
1 F
(;)R
2 F
2837(UnixWorld)S
1 F
(;)R
706 1230(February,)U
983(1992;)S
1155(pp)S
1243(93-102.)S
823 1329(])U
556([Comer91)S
706 1407(Douglas)U
968(E.)S
1067(Comer,)S
2 F
1305(Internetworking)S
1771(with)S
1926(TCP)S
1 F
(/)R
2 F
(IP,)R
2186(Volume)S
2429(I)S
1 F
(;)R
2511(Second)S
2747(Edition,)S
2998(1991;)S
706 1485(Prentice-Hall,)U
1095(Inc.)S
772 1584(])U
556([Kent89)S
706 1662(Stephen)U
947(Kent,)S
5 F
1121(")S
1 F
(Comments)R
1463(on)S
1558('Security)S
1828(Problems)S
2106(in)S
2185(the)S
2293(TCP/IP)S
2519(Protocol)S
2770(Suite')S
5 F
(")R
1 F
(;)R
2 F
3001(Com-)S
706 1740(puter)U
867(Communications)S
1336(Review)S
1 F
(;)R
1565(July)S
1697(1989.)S
820 1839(])U
556([Mogul89)S
706 1917(Jeffrey)U
912(C.)S
996(Mogul,)S
5 F
1212(")S
1 F
(Simple)R
1449(and)S
1567(Flexible)S
1804(Datagram)S
2085(Access)S
2294(Controls)S
2543(for)S
2642(UNIX-based)S
3002(Gate-)S
556 2094([)U
706 1995(ways)U
5 F
(")R
1 F
(;)R
2 F
910(Proceedings)S
1261(of)S
1334(the)S
1436(USENIX)S
1685(Summer)S
1924(1989)S
2078(Conference)S
1 F
(;)R
2421(pp.)S
2526(203-221.)S
578 2094(Ranum92])U
706 2172(M)U
(arcus)R
931(J.)S
1001(Ranum,)S
5 F
1235(")S
1 F
(A)R
1338(Network)S
1596(Firewall)S
5 F
(")R
1 F
(;)R
2 F
1888(Proceedings)S
2243(of)S
2320(the)S
2426(World)S
2617(Conference)S
2946(on)S
3038(Sys-)S
1 F
556 2349([)U
2 F
706 2250(tem)U
823(Administration)S
1240(and)S
1361(Security)S
1 F
(;)R
1616(July)S
1748(1992;)S
1920(Washington,)S
2277(D.C.;)S
2443(pp.)S
2548(153-163.)S
578 2349(RFC1058])U
706 2427(C)U
(.)R
790(Hedrick,)S
5 F
1042(")S
1 F
(Routing)R
1305(Information)S
1642(Protocol)S
5 F
(")R
1 F
(,)R
1933(Request)S
2168(For)S
2283(Comments)S
2590(1058;)S
2762(available)S
3020(from)S
556 2604([)U
706 2505(the)U
808(DDN)S
974(Network)S
1227(Information)S
1563(Center)S
1760(\(NIC.DDN.)S
2074(MIL\).)S
578 2604(RFC1340])U
706 2682(J)U
(.)R
777(Reynolds)S
1053(and)S
1175(J.)S
1245(Postel,)S
5 F
1450(")S
1 F
(Ass)R
1578(igned)S
1751(Numbers)S
5 F
(")R
1 F
(,)R
2065(Request)S
2304(For)S
2423(Comments)S
2735(1340;)S
2912(available)S
556 2859([)U
706 2760(from)U
856(the)S
958(DDN)S
1124(Network)S
1377(Information)S
1713(Center)S
1910(\(NIC.DDN.)S
2224(MIL\).)S
578 2859(Telebit92a)U
858(])S
706 2937(T)U
(elebit)R
913(Corporation)S
1253(\(Sunnyvale,)S
1592(CA\),)S
5 F
1745(")S
1 F
(NetBlazer)R
2061(Command)S
2357(Reference)S
5 F
(")R
1 F
(;)R
2691(1992.)S
556 3036([Telebit92b])U
706 3114(Telebit)U
913(Corporation)S
1253(\(Sunnyvale,)S
1592(CA\),)S
5 F
1745(")S
1 F
(NetBlazer)R
2061(Version)S
2292(1.4)S
2397(Release)S
2623(Notes)S
5 F
(")R
1 F
(;)R
2845(1992.)S
3 F
556 3426(A)U
556 3270(Appendix)U
854(A)S
924(\320)S
1012(Filtering)S
1278(Characteristics)S
1728(of)S
1805(Common)S
2088(IP)S
2176(Protocols)S
604 3426(.1.)U
693(SMTP)S
1 F
706 3525(S)U
(MTP)R
904(is)S
973(provided)S
1231(as)S
1310(a)S
1363(TCP)S
1508(service)S
1718(with)S
1859(the)S
1963(server)S
2148(end)S
2267(of)S
2346(the)S
2450(connection)S
2762(at)S
2833(port)S
2963(25)S
3053(and)S
3 F
556 3759(A)U
1 F
556 3603(the)U
658(client)S
825(end)S
942(at)S
1011(a)S
1062(random)S
1285(port.)S
3 F
604 3759(.2.)U
693(TELNET)S
1 F
706 3858(T)U
(ELNET)R
980(is)S
1050(provided)S
1310(as)S
1391(a)S
1446(TCP)S
1593(service)S
1805(with)S
1948(the)S
2054(server)S
2241(end)S
2362(of)S
2443(the)S
2549(connection)S
2862(at)S
2934(port)S
3065(23,)S
3 F
556 4092(A)U
1 F
556 3936(and)U
673(the)S
775(client)S
942(end)S
1059(at)S
1128(a)S
1179(random)S
1402(port.)S
3 F
604 4092(.3.)U
693(FTP)S
1 F
706 4191(F)U
(TP)R
843(is)S
910(slightly)S
1130(tricky,)S
1323(in)S
1397(that)S
1518(an)S
1602(FTP)S
1738(conversation)S
2096(actually)S
2325(involves)S
2570(two)S
2691(TCP)S
2834(connections)S
556 4347(c)U
556 4269(in)U
639(typical)S
849(UNIX)S
1047(implement)S
1327(ations:)S
1534(one)S
1661(for)S
1769(connection)S
2088(for)S
2196(commands,)S
2529(and)S
2655(one)S
2781(for)S
2889(data.)S
3046(The)S
585 4347(ommand)U
842(connection)S
1157(is)S
1228(at)S
1302(port)S
1435(21)S
1528(on)S
1621(the)S
1728(server,)S
1933(and)S
2054(the)S
2160(data)S
2295(connection)S
2609(is)S
2679(at)S
2752(port)S
2884(20)S
2976(on)S
3068(the)S
1775 4548(-)U
1819(12)S
1907(-)S
EP
%%Page: ? 13
BP
1 F
66 Z
2182 486(.)U
3 F
556 642(A)U
1 F
556 486(server;)U
757(both)S
896(connections)S
1232(use)S
1342(random)S
1565(ports)S
1719(on)S
1807(the)S
1909(client)S
2076(side)S
3 F
604 642(.4.)U
693(NNTP)S
1 F
706 741(N)U
(NTP)R
903(is)S
971(provided)S
1228(as)S
1306(a)S
1358(TCP)S
1502(service)S
1711(with)S
1851(the)S
1954(server)S
2138(end)S
2256(at)S
2326(port)S
2455(119,)S
2594(and)S
2712(the)S
2815(client)S
2983(end)S
3101(at)S
3 F
556 975(A)U
1 F
556 819(a)U
607(random)S
830(port.)S
3 F
604 975(.5.)U
693(DNS)S
1 F
706 1074(D)U
(NS)R
863(is)S
931(provided)S
1189(as)S
1268(both)S
1409(a)S
1462(TCP)S
1607(and)S
1726(UDP)S
1883(service)S
2093(at)S
2164(port)S
2294(53.)S
2401(The)S
2526(UDP)S
2682(service)S
2891(is)S
2958(usually)S
3126 1152(r)U
556 1230(p)U
556 1152(used)U
705(for)S
810(client-to-serve)S
1189(r)S
1238(queries)S
1455(\(the)S
1584(client)S
1756(end)S
1878(will)S
2007(be)S
2096(at)S
2170(a)S
2226(random)S
2454(port\))S
2609(and)S
2731(server-to-serve)S
589 1230(roxy)U
734(queries)S
948(\(where)S
1155(a)S
1208(server)S
1393(queries)S
1607(another)S
1828(server)S
2013(on)S
2103(behalf)S
2291(of)S
2370(a)S
2423(client\),)S
2631(while)S
2801(the)S
2905(TCP)S
3049(ser-)S
3126 1308(-)U
556 1386(m)U
556 1308(vice)U
693(is)S
765(usually)S
983(used)S
1132(for)S
1237(server-to-server)S
1681(bulk)S
1825(data)S
1961(transfers)S
2215(\(typically)S
2493(zone)S
2644(transfers)S
2898(from)S
3053(pri)S
607 1386(ary)U
713(to)S
786(secondary)S
1075(DNS)S
1230(servers)S
1439(for)S
1538(a)S
1589(given)S
1757(zone\).)S
706 1485(O)U
(ne)R
844(implement)S
1124(ation)S
1283(characteri)S
1541(stic)S
1659(of)S
1741(the)S
1848(most)S
2003(common)S
2260(DNS)S
2420(server)S
2608(implement)S
2888(ation)S
3046(\(the)S
556 1641(q)U
5 F
556 1563(")U
1 F
(BIND)R
5 F
(")R
1 F
774(,)S
818(or)S
5 F
900(")S
1 F
(Berkeley)R
1191(Internet)S
1421(Name)S
1604(Daemon,)S
5 F
(")R
1 F
1898(implement)S
2178(ation\))S
2357(is)S
2427(that)S
2551(server-to-server)S
2994(proxy)S
589 1641(ueries)U
778(are)S
890(made)S
1064(via)S
1176(UDP)S
1341(with)S
1490(both)S
1639(ends)S
1792(of)S
1879(the)S
1990(connection)S
2309(using)S
2483(port)S
2620(53.)S
2734(Packet)S
2940(\256ltering)S
3115 1719(y)U
556 1797(U)U
556 1719(speci\256cations)U
951(can)S
1079(take)S
1225(good)S
1394(advantage)S
1697(of)S
1789(this)S
1921(characteri)S
2179(stic,)S
2324(since)S
2495(DNS)S
2664(is)S
2744(often)S
2915(the)S
3031(onl)S
604 1797(DP-based)U
888(protocol)S
1134(that)S
1259(sites)S
1403(want)S
1558(to)S
1636(allow)S
1809(bidirectiona)S
2122(lly)S
2218(\(i.e.,)S
2364(allow)S
2536(both)S
2679(inbound)S
2921(and)S
3042(out-)S
556 1953(f)U
556 1875(bound\))U
766(between)S
1008(their)S
1151(internal)S
1374(machines)S
1645(and)S
1763(the)S
1866(outside)S
2079(world.)S
2295(The)S
2420(fact)S
2541(that)S
2662(DNS)S
2818(uses)S
2954(port)S
3082(53)S
578 1953(or)U
657(both)S
798(ends)S
943(of)S
1022(such)S
1167(a)S
1220(connection,)S
1549(rather)S
1726(than)S
1863(port)S
1992(53)S
2081(for)S
2181(answering)S
2475(server)S
2659(end)S
2777(and)S
2895(a)S
2947(random)S
3126 2031(-)U
556 2109(m)U
556 2031(port)U
687(for)S
789(the)S
894(requesting)S
1193(server)S
1379(end,)S
1516(allows)S
1713(DNS)S
1871(to)S
1947(be)S
2034(bidirectiona)S
2347(lly)S
2441(enabled)S
2670(in)S
2745(\256ltering)S
2977(imple)S
607 2109(entations)U
871(that)S
996(examine)S
1245(only)S
1389(destination)S
1704(ports)S
1862(\(not)S
1994(source)S
2192(ports\))S
2 F
2372(without)S
1 F
2595(running)S
2826(afoul)S
2987(of)S
3068(the)S
3126 2187(-)U
556 2265(t)U
5 F
556 2187(")U
1 F
(allowing)R
847(any)S
974(connection)S
1294(where)S
1487(both)S
1636(ends)S
1789(are)S
1901(above)S
2090(1023)S
5 F
(")R
1 F
2282(problem)S
2533(with)S
2682(allowing)S
2944(bidirec)S
574 2265(ional)U
727(services)S
961(in)S
1034(such)S
1177(routers)S
1382(\(see)S
1510(Section)S
1729(4.2)S
1834(for)S
1933(a)S
1984(detailed)S
2213(discussion)S
2510(of)S
2587(this)S
2704(problem\).)S
3 F
556 2421(A.6.)U
693(BSD)S
844(r*)S
928(services)S
1169(\(rlogin,)S
1398(rsh,)S
1529(rcp,)S
1663(and)S
1792(rexec\))S
1 F
706 2520(The)U
831(BSD)S
983(r*)S
1061(services)S
1296(\(rlogin,)S
1515(rsh,)S
1636(rcp,)S
1760(and)S
1878(rexec\))S
2064(are)S
2166(another)S
2385(tricky)S
2560(case)S
2695(because)S
2925(they)S
3060(use)S
3126 2598(-)U
556 2676(p)U
556 2598(privileged)U
860(ports)S
1029(\(ports)S
1220(below)S
1418(1024;)S
1605(see)S
1726(below)S
1924(for)S
2038(a)S
2104(discussion)S
2416(of)S
5 F
2508(")S
1 F
(privileged)R
5 F
(")R
1 F
2867(and)S
5 F
2999(")S
1 F
(non)R
589 2676(rivileged)U
5 F
(")R
1 F
877(ports\))S
1058(for)S
1162(both)S
1306(the)S
1413(server)S
1601(\(port)S
1756(512)S
1881(for)S
1984(rexec,)S
2169(513)S
2294(for)S
2397(rlogin,)S
2597(and)S
2718(514)S
2843(for)S
2946(rsh)S
3053(and)S
3122 2754(s)U
556 2832(b)U
556 2754(rcp\))U
686(and)S
804(client)S
972(\(a)S
1046(random)S
1270(privileged)S
1559(port\).)S
1749(A)S
1820(typical)S
2021(\256ltering)S
2252(set)S
2348(that)S
2469(allows)S
2664(outbound)S
2936(service)S
589 2832(y)U
666(allowing)S
940(outbound)S
1233(packets)S
1474(to)S
1568(speci\256c)S
1812(privileged)S
2121(ports)S
2296(and)S
2434(inbound)S
2693(packets)S
2933(to)S
3027(non-)S
556 2988(t)U
556 2910(privileged)U
848(ports)S
1005(won't)S
1184(allow)S
1355(any)S
1475(of)S
1555(these)S
1715(services,)S
1969(since)S
2129(their)S
2274(inbound)S
2515(packets)S
2737(will)S
2864(be)S
2951(coming)S
574 2988(o)U
642(random)S
877(privileged)S
1177(ports.)S
1360(If)S
1438(you)S
1571(then)S
1718(allow)S
1898(inbound)S
2148(packets)S
2379(to)S
2464(random)S
2699(privileged)S
2999(ports,)S
556 3144(w)U
556 3066(you've)U
770(just)S
895(opened)S
1115(up)S
1211(all)S
1306(your)S
1457(own)S
1601(services)S
1843(on)S
1939(privileged)S
2235(ports)S
2397(to)S
2478(attacks)S
2690(from)S
2848(the)S
2958(outside)S
604 3144(orld.)U
780(One)S
921(possible)S
1168(solution)S
1411(is)S
1485(to)S
1566(this)S
1691(quandry)S
1937(is)S
2011(to)S
2092(allow)S
2268(only)S
2415(packets)S
2642(from)S
5 F
2800(")S
1 F
(established)R
5 F
(")R
3 F
556 3378(A)U
1 F
556 3222(connections)U
892(inbound,)S
1147(if)S
1209(your)S
1352(\256ltering)S
1582(implement)S
1862(ation)S
2015(has)S
2125(that)S
2245(capabilit)S
2470(y)S
2525(\(see)S
2653(Section)S
2872(4.3\).)S
3 F
604 3378(.7.)U
693(RIP)S
1 F
706 3477(R)U
(IP)R
834(broadcasts)S
1137(between)S
1380(routers)S
1587(uses)S
1725(UDP)S
1882(port)S
2012(520)S
2135(as)S
2214(for)S
2315(both)S
2456(source)S
2652(and)S
2771(destination.)S
3100(A)S
3130 3555(;)U
556 3633(r)U
556 3555(RIP)U
684(query)S
858(may)S
995(use)S
1107(some)S
1270(other)S
1429(UDP)S
1586(port)S
1716(as)S
1795(their)S
1939(source)S
2135(port)S
2265(with)S
2406(520)S
2529(as)S
2608(the)S
2712(destination)S
3024(port)S
578 3633(eplies)U
757(to)S
834(the)S
940(query)S
1116(will)S
1244(use)S
1358(520)S
1483(as)S
1564(the)S
1670(source)S
1868(port)S
2000(and)S
2121(the)S
2227(query's)S
2451(source)S
2649(port)S
2780(as)S
2860(the)S
2965(reply's)S
3 F
556 3867(A)U
1 F
556 3711(destination)U
866(port)S
994([RFC1058].)S
3 F
604 3867(.8.)U
693(RPC)S
851(and)S
980(RPC-based)S
1322(services)S
1563(\(YP/NIS)S
1824(and)S
1953(NFS\))S
1 F
3126 3966(f)U
556 4044(o)U
706 3966(RPC)U
863(\(Sun's)S
1068(Remote)S
1304(Procedure)S
1603(Call)S
1744(mechanism,)S
2092(which)S
2285(is)S
2361(at)S
2440(the)S
2552(heart)S
2715(of)S
2801(a)S
2861(number)S
3093(o)S
589 4044(ther)U
722(protocols,)S
1015(notably)S
1243(YP/NIS)S
1483(and)S
1608(NFS\))S
1782(is)S
1856(a)S
1915(real)S
2043(can)S
2164(of)S
2249(worms)S
2459(when)S
2632(it)S
2698(comes)S
2896(to)S
2977(packet)S
556 4200(1)U
556 4122(\256ltering.)U
825(The)S
949(only)S
1088(ports)S
1242(a)S
1293(machine)S
1537(running)S
1764(RPC)S
1911(is)S
1977(certain)S
2177(to)S
2250(be)S
2334(using)S
2499(are)S
2601(UDP)S
2756(and)S
2873(TCP)S
3016(ports)S
589 4200(11,)U
696(for)S
797(the)S
5 F
901(")S
1 F
(portmapper)R
5 F
(")R
1 F
1284(process)S
1506(which)S
1691(maps)S
1854(requests)S
2093(for)S
2193(speci\256c)S
2417(RPC)S
2565(services)S
2800(to)S
2874(the)S
2977(partic-)S
3130 4278(t)U
556 4356(p)U
556 4278(ular)U
689(ports)S
852(\(somewhat)S
1172(randomly)S
1455(determined\))S
1803(that)S
1932(they)S
2076(are)S
2187(running)S
2423(on)S
2520(at)S
2598(the)S
2709(moment)S
2954(on)S
3050(tha)S
589 4356(articular)U
834(machine.)S
1100(See)S
1221(the)S
1327(complete)S
1593(discussion)S
1894(of)S
1975(the)S
2081(problems)S
2352(with)S
2495(\256ltering)S
2729(RPC)S
2880(and)S
3001(RPC-)S
1775 4548(-)U
1819(13)S
1907(-)S
EP
%%Page: ? 14
BP
3 F
66 Z
556 642(A)U
1 F
556 486(based)U
728(services)S
962(in)S
1035(Section)S
1254(4.6.)S
3 F
604 642(.9.)U
693(Window)S
954(systems)S
1 F
706 741(V)U
(arious)R
943(window)S
1184(systems)S
1421(vary)S
1566(in)S
1645(what)S
1801(ports)S
1961(they)S
2102(use.)S
2257(X11,)S
2415(for)S
2519(instance,)S
2778(typically)S
3034(uses)S
3126 819(f)U
556 897(t)U
556 819(TCP)U
705(port)S
839(6000)S
999(for)S
1104(the)S
1212(\256rst)S
1343(display)S
1561(on)S
1655(a)S
1712(given)S
1886(machine,)S
2153(port)S
2287(6001)S
2447(for)S
2552(the)S
2659(second)S
2869(display)S
3086(\(i)S
574 897(he)U
660(machine)S
906(has)S
1018(a)S
1071(second)S
1278(display\),)S
1531(and)S
1650(so)S
1733(forth;)S
1903(to)S
1978(protect)S
2184(machines)S
2456(running)S
2685(X11)S
2822(servers,)S
3049(you)S
3126 975(-)U
556 1053(n)U
556 975(must)U
711(\256lter)S
862(ports)S
1021(6000)S
1180(through)S
1412(6000+)S
2 F
(n)R
1 F
(,)R
1658(where)S
2 F
1846(n)S
1 F
1906(is)S
1977(the)S
2084(maximum)S
2377(number)S
2604(of)S
2685(X11)S
2825(servers)S
3038(run)S
589 1053(ing)U
695(on)S
783(any)S
900(single)S
1079(machine)S
1323(behind)S
1524(your)S
1667(\256ltering)S
1897(screen.)S
3 F
556 1308(A)U
1 F
706 1152(OpenWindows)U
1124(uses)S
1260(port)S
1388(2000.)S
3 F
604 1308(.10.)U
726(ICMP)S
1 F
706 1407(I)U
(CMP)R
903(is)S
982(a)S
1046(protocol)S
1300(parallel)S
1531(to)S
1617(TCP)S
1773(and)S
1903(UDP,)S
2088(layered)S
2315(on)S
2415(top)S
2533(of)S
2622(IP,)S
2732(that)S
2864(is)S
2942(used)S
3097(to)S
3130 1485(t)U
556 1563(m)U
556 1485(transmit)U
817(control,)S
1066(information,)S
1439(and)S
1579(error)S
1752(messages)S
2046(between)S
2310(the)S
2435(IP)S
2539(software)S
2811(on)S
2922(differen)S
607 1563(achines.)U
868(Rather)S
1068(than)S
1205(having)S
1408(source)S
1604(or)S
1683(destination)S
1995(ports,)S
2168(ICMP)S
2354(packets)S
2575(simply)S
2778(have)S
2926(a)S
5 F
2979(")S
1 F
(type)R
5 F
(")R
1 F
556 1719(\256)U
556 1641(code)U
705(that)S
828(indicates)S
1086(the)S
1191(nature)S
1380(of)S
1459(the)S
1563(ICMP)S
1749(packets.)S
2009(Most)S
2169(packet)S
2364(\256ltering)S
2596(implement)S
2876(ations)S
3057(can)S
593 1719(lter)U
704(ICMP)S
890(packets)S
1111(by)S
1201(type)S
1338(in)S
1413(the)S
1517(same)S
1676(way)S
1810(as)S
1888(they)S
2024(can)S
2138(\256lter)S
2285(TCP)S
2429(or)S
2507(UDP)S
2663(by)S
2752(port.)S
2920(Some)S
3093(of)S
556 1875(r)U
556 1797(these)U
717(ICMP)S
905(packet)S
1102(types)S
1267(are)S
1373(informational)S
1756(in)S
1833(nature)S
2023(\(such)S
2192(as)S
2273(messages)S
2548(that)S
2672(a)S
2727(packet)S
2923(failed)S
3097(to)S
578 1875(each)U
735(its)S
834(destination)S
1159(because)S
1404(the)S
1521(destination)S
1846(is)S
1926(unreachable)S
2279(or)S
2370(because)S
2614(the)S
2730(packet)S
2937(traveled)S
3115 1953(d)U
556 2031(t)U
556 1953(through)U
794(too)S
911(many)S
1090(routers)S
1306(enroute)S
1536(and)S
1664(timed)S
1845(out\),)S
2000(and)S
2127(should)S
2335(almost)S
2542(certainly)S
2803(be)S
2897(permitte)S
574 2031(hrough)U
791(\256lters.)S
988(Other)S
1168(ICMP)S
1360(packet)S
1561(types)S
1730(are)S
1840(useful)S
2031(for)S
2137(network)S
2382(management)S
2746(and)S
2870(debugging)S
3115 2109(h)U
556 2187(\256)U
556 2109(\(such)U
723(as)S
5 F
802(")S
1 F
(echo)R
978(request)S
5 F
(")R
1 F
1220(and)S
5 F
1338(")S
1 F
(echo)R
1513(reply)S
5 F
(")R
1 F
1699(messages\),)S
2010(and)S
2128(should)S
2327(probably)S
2584(be)S
2669(permitted)S
2943(throug)S
593 2187(lters.)U
770(Still)S
904(other)S
1064(ICMP)S
1251(packet)S
1446(types)S
1609(are)S
1713(instructions)S
2044(\(such)S
2211(as)S
5 F
2290(")S
1 F
(redirect)R
5 F
(")R
1 F
(\))R
2592(that)S
2714(probably)S
2972(should)S
2 F
556 2265(not)U
1 F
662(be)S
746(permitted)S
1019(through)S
1246(\256lters.\262)S
706 2364(Common)U
984(network)S
1233(management)S
1600(tools)S
1760(such)S
1913(as)S
5 F
2000(")S
1 F
(ping)R
5 F
(")R
1 F
2205(and)S
5 F
2332(")S
1 F
(traceroute)R
5 F
(")R
1 F
2682(depend)S
2904(on)S
3002(being)S
3126 2442(-)U
556 2520(s)U
556 2442(able)U
695(to)S
776(send)S
927(and)S
1052(receive)S
1271(ICMP)S
1463(messages.)S
1781(Ping)S
1932(works)S
2124(by)S
2220(sending)S
2455(ICMP)S
2647(echo)S
2801(request)S
3020(mes)S
582 2520(ages,)U
742(and)S
863(listening)S
1115(for)S
1218(ICMP)S
1406(echo)S
1556(response)S
1813(messages.)S
2126(Traceroute)S
2435(works)S
2622(by)S
2713(generating)S
3015(UDP)S
3115 2598(n)U
556 2676(u)U
556 2598(probe)U
738(packets)S
967(that)S
1097(are)S
1209(destined)S
1460(to)S
1543(a)S
1604(random)S
1837(UDP)S
2002(port,)S
2157(then)S
2302(listening)S
2559(for)S
2667(ICMP)S
2860(destinatio)S
589 2676(nreachable)U
895(messages)S
1166(sent)S
1294(in)S
1367(response)S
1620(to)S
1693(the)S
1795(probe)S
1967(packet.)S
3 F
556 2832(A.11.)U
726(Other)S
916(services)S
1 F
706 2931(Other)U
891(network)S
1142(services,)S
1406(such)S
1562(as)S
1652(databases,)S
1956(license)S
2172(servers,)S
2410(print)S
2568(servers,)S
5 F
2806(")S
1 F
(rlogin)R
5 F
(")R
1 F
3053(and)S
3115 3009(d)U
556 3087(a)U
5 F
556 3009(")U
1 F
(rsh)R
5 F
(")R
1 F
716(servers,)S
943(and)S
1061(so)S
1143(forth,)S
1311(all)S
1399(use)S
1510(TCP)S
1654(or)S
1732(UDP)S
1888(ports.)S
2082(In)S
2160(general,)S
2392(if)S
2454(these)S
2611(servers)S
2820(are)S
2922(intende)S
585 3087(nd)U
680(required)S
928(to)S
1008(run)S
1125(as)S
5 F
1209(")S
1 F
(root)R
5 F
(")R
1 F
1371(,)S
1417(they)S
1559(use)S
1675(BSD)S
1832(privileged)S
2126(ports)S
2286(\(ports)S
2468(below)S
2657(1024\),)S
2856(and)S
2979(if)S
3047(not,)S
556 3243(t)U
556 3165(they)U
697(use)S
813(BSD)S
970(unprivileged)S
1330(ports)S
1490(\(ports)S
1672(at)S
1747(or)S
1830(above)S
2014(1024\),)S
2212(though)S
2422(this)S
2544(is)S
2615(not)S
2726(always)S
2936(true.)S
3104(If)S
574 3243(here's)U
758(a)S
809(particular)S
1082(service)S
1290(that's)S
1458(not)S
1564(discussed)S
1839(here)S
1974(that)S
2094(you're)S
2288(interested)S
2565(in)S
2638(special-casing,)S
3049(you)S
3119 3321(e)U
556 3399(s)U
556 3321(can)U
681(often)S
850(\256gure)S
1038(out)S
1156(what)S
1318(ports)S
1484(it)S
1554(uses)S
1702(by)S
1802(examining)S
2113(the)S
2227(RFCs)S
2412(describing)S
2719(the)S
2832(service,)S
3068(th)S
582 3399(ource)U
755(code)S
906(implement)S
1186(ing)S
1296(the)S
1402(service,)S
1631(or)S
1712(\(as)S
1815(a)S
1870(last)S
1987(resort\))S
2185(the)S
2291(output)S
2485(of)S
5 F
2566(")S
1 F
(netstat)R
2791(-a)S
5 F
(")R
1 F
2896(while)S
3068(the)S
6 F
48 Z
556 3912(h)U
1 F
66 Z
556 3477(service)U
764(is)S
830(in)S
903(use.)S
6 F
48 Z
580 3912(hhhhhhhhhhhhhhhhh)U
1 F
556 3981(\262)U
676(ICMP)S
815(redirect)S
981(messages)S
1183(should)S
1332(never)S
2 F
1459(need)S
1 F
1570(to)S
1628(pass)S
1732(through)S
1902(a)S
1944(\256ltering)S
2116(router,)S
2263(anyway,)S
2445(since)S
2564(they)S
2666(are)S
2744(only)S
2849(sup-)S
676 4101(a)U
676 4041(posed)U
807(to)S
863(be)S
927(generated)S
1131(by)S
1198(the)S
1275(\256rst)S
1369(router)S
1502(a)S
1542(packet)S
1685(reached)S
1852(after)S
1958(leaving)S
2117(its)S
2181(originating)S
2409(host;)S
2520(that)S
2609(router)S
2741(should)S
2887(be)S
697 4101(ble)U
772(send)S
877(any)S
963(necessary)S
1166(ICMP)S
1301(redirect)S
1463(back)S
1570(directly)S
1731(to)S
1784(the)S
1858(originating)S
2083(host,)S
2191(without)S
2353(having)S
2499(to)S
2552(send)S
2656(it)S
2698(through)S
2863(any)S
2908 4161(g)U
676 4221(s)U
676 4161(other)U
791(routers.)S
969(An)S
1045(attempt)S
1204(to)S
1258(route)S
1373(an)S
1435(ICMP)S
1569(redirect)S
1730(message)S
1908(is)S
1956(a)S
1993(sign)S
2089(of)S
2145(either)S
2269(network)S
2442(miscon\256guration,)S
2794(routin)S
695 4221(oftware)U
857(bugs,)S
976(or)S
1032(malicious)S
1233(activity)S
1391(by)S
1455(someone)S
1641(probing)S
1806(for)S
1878(weaknesses.)S
66 Z
1775 4548(-)U
1819(14)S
1907(-)S
EP
%%Trailer
pscatsave end restore
%%Pages: 14