Re: [SAtalk] How do I know if razor-checking is active?

[Matt Kettler]

Well, it's a wide variety of IP's, but it is client-only type traffic. The razor servers do not need to initiate connections to port 2703 on your machine, so is there any significant risk in allowing your machine to initiate client connections to any outside machine on port 2703 (provided there's some careful TCP flags based filtering of inbound traffic to make sure it's not used to smuggle in connection requests)

rough pseudo-code firewall rules for a packet filter type firewall would be:

<kill IP spoofing on outbound traffic>
deny outbound IP from AnythingButMyNetwork to anywhere

<allow outbound tcp traffic to tcp echo and razor2 ports>
allow outbound TCP from myrazorserver any port >1023 to anyip port 7
allow outbound TCP from myrazorserver anyport >1023 to anyip port 2703

<kill inbound IP spoofs>
deny inbound IP from MyNetwork to anywhere

<allow inbound tcp traffic from tcp echo and razor2 ports to my server, but do not allow connections to be initiated this way>
allow inbound TCP from anyip port 7 to myrazorserver any port >1023 required flag ACK
allow inbound TCP from anyip port 2703 to myrazorserver any port >1023 required flag ACK

<disallow inbound traffic to local "tiny services">
deny inbound tcp from anyip anyport to anyip any port < 20
deny inbound udp from anyip anyport to anyip any port < 20

<insert other sensible denies on inbound/outbound traffic as needed>

For a stateful firewall require the connection to be established instead of requiring the ack flag on inbound traffic. Your exact syntax will vary depending on what packet filter/firewall tool you use, but that's the conditions you need to apply.

Note: As far as I know, and I'll admit to making mistakes sometimes but I've thought long and hard about this one, the above configuration does NOT allow your network to be used as a waypoint in tcp echo-charget loopback attacks. It also does not allow such attacks to be initiated against your network. It does not allow your network to send spoofed requests to initiate echo-chargen loopback attacks against other networks. All of this is true, as far as I can deduce, even if "myrazorserver" is running an otherwise unsecured echo and chargen server.

I can't guarantee that this is 100% hole-free, but I'd be hard pressed to picture a way to exploit the above configuration for DoS attacks. If anyone can point out an exploit, I'd love to hear it, but be wary of the fact that inbound syn-with-no-ack is needed to open a TCP socket.

At 01:14 PM 11/1/2002 -0800, Henry Kwan wrote:

>
> At the command line run:
>
> spamassassin -tD < sample-spam.txt
>
> At the top will be extensive debug output including any problems reading
> the rules file, any lack of DNS support, etc, as well as debug status while
> running razor.
>

Great. Thanks to all for the tips. I ran the sample text through and it
does appear that SA is invoking the razor2 test.

As an aside, does anyone know the range of IPs that you need to open for
razor? I currently have 216.52.13.90 through 216.52.13.94 open for TCP Port
2703.

Thanks again.

-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk