I'm having a bit of a problem getting my head round what this vulnerability means, can someone help me understand this?
I'm particularly puzzled by the RESULTS section. Why would source port 25 be any different from a random source port, they're both originating from the outside world?
Vulnerability:
TCP Source Port Pass FirewallTHREAT:
Your firewall policy seems
to let TCP packets with a specific
source port pass through.IMPACT:
Some types of requests can pass
through the firewall. The port number
listed in the results section of this
vulnerability report is the source
port that unauthorized users can use
to bypass your firewall.SOLUTION:
Make sure that all your
filtering rules are correct and strict
enough. If the firewall intends to
deny TCP connections to a specific
port, it should be configured to block
all TCP SYN packets going to this
port, regardless of the source port.COMPLIANCE:
Not ApplicableRESULTS:
The host responded 4 times
to 4 TCP SYN probes sent to
destination port 22 using source port
25. However, it did not respond at all to 4 TCP SYN probes sent to the same
destination port using a random source
port.
Best Answer
when a client connect to a server, the client pickup a free tcp port it has between 1024 and 65535. On Linux/Unix, non root user can't pick up a port < 1024. Then it connect to a well known port, like 80 for http...
The report claims that it can reach destination port if the source port is specific (22 and 25 in your sample), but it can't if it use a random port (between 1024 and 65535 for example). Client normally use random port and so your rule shouldn't take into account the source port number
So one of your rule is bad, because it allows flows if the source port is specific, whereas it should only filter on the destination port, which is the only static part between the two.
I guess you miss created one of your rule by inadvertly exchanging source and destination value