To avoid this spoofing situation, an input access list should be applied to the router interface to the outside world. This access list would not allow any packets with addresses that are from the internal networks of which the router is aware (13.0 and 14.0).
TIPS:
If you have several internal networks connected to the firewall router and the router is using output filters, traffic between internal networks will see a reduction in performance created by the access list filters. If input filters are used only on the interface going from the router to the outside world, internal networks will not see any reduction in performance. If an address uses source routing, it can send and receive traffic through the firewall router. For this reason, you should always disable source routing on the firewall router with the no ip source-route command.
Every application that intends to receive data from a TCP/IP network calls the TCP/IP service to acquire a port, a 16-bit number unique to that application on that particular host. Any well-formed incoming datagram with that port number in its TCP or UDP header is delivered to that application. Fragmented datagrams only contain port information in the first datagram fragment (fragment 0). By convention, any transmitting application also owns a port number on its host, and it supplies that port number in the destination port field of the datagrams it sends. The port numbers are divided into three ranges, as follows:
Well-known ports are controlled and assigned by the IANA and on most systems can be used only by system (or root) processes or by programs executed by privileged users. Ports are used in the TCP [RFC793] to name the ends of logical connections that carry long term conversations. For providing services to unknown callers, a service contact port is defined. This list specifies the port used by the server process as its contact port. The contact port is sometimes called the well-known port.
Table 10-2 Port number assignments Port # | Port Type | Protocol | Keyword |
|
0 | TCP & UDP | Reserved | |
1-4 | TCP & UDP | Unassigned | |
5 | TCP & UDP | Remote Job Entry | RJE |
7 | TCP & UDP | Echo | ECHO |
9 | TCP & UDP | Discard | DISCARD |
11 | TCP & UDP | Active Users | USERS |
13 | TCP & UDP | Daytime | DAYTIME |
15 | TCP & UDP | Who is up or Netstat | NETSTAT |
17 | TCP & UDP | Quote of the Day | QUOTE |
19 | TCP & UDP | Character Generator | CHARGEN |
20 | TCP & UDP | File Transfer (Default Data) | FTP-DATA |
21 | TCP & UDP | File Transfer (Control) | FTP |
23 | TCP & UDP | Telnet | TELNET |
25 | TCP & UDP | Simple Mail Transfer Protocol (SMTP) | SMTP |
37 | TCP & UDP | Time | TIME |
39 | TCP & UDP | Resource Location Protocol | RLP |
42 | TCP & UDP | Host Name Server | NAMESERVER |
43 | TCP & UDP | Who Is | NICNAME |
49 | TCP & UDP | Terminal Access Controller Access Control System (TACACS) | TACACS |
53 | TCP & UDP | Domain Name Server | DOMAIN |
67 | TCP & UDP | Bootstrap Protocol Server | BOOTPS |
68 | TCP & UDP | Bootstrap Protocol Client | BOOTPC |
69 | TCP & UDP | Trivial File Transfer Protocol | TFTP |
70 | TCP & UDP | Gopher | GOPHER |
75 | TCP & UDP | Any private dial-out service |
77 | TCP & UDP | Any private RJE service |
79 | TCP & UDP | Finger | FINGER |
80 | TCP & UDP | Hypertext Transfer Protocol (HTTP) | www |
87 | TCP | Linkcommonly used by intruders | |
88 | TCP & UDP | Kerberos | KERBEROS |
89 | TCP & UDP | Open Shortest Path First | OSPF |
95 | TCP | SUPDUP Protocol | SUPDUP |
101 | TCP | NIC Host Name Server | HOSTNAME |
102 | TCP | ISO-TSAP | ISO-TSAP |
103 | TCP | X400 | X400 |
104 | TCP | X400-SND | X400-SND |
107 | TCP & UDP | Remote Telnet Service | RTELNET |
109 | TCP | Post Office Protocol v2 | POP2 |
110 | TCP | Post Office Protocol v3 | POP3 |
111 | TCP & UDP | SUN Remote Procedure Call | SUNRPC |
113 | TCP & UDP | Authentication Service | AUTH |
117 | TCP & UDP | UUCP Path Service | UUCP-PATH |
119 | TCP & UDP | USENET Network News Transfer Protocol | NNTP |
123 | TCP & UDP | Network Time Protocol (NTP) | Well-Known |
133-136 | TCP & UDP | Unassigned | |
137 | UDP | NETBIOS Name Service | NETBIOS-NS |
137 | TCP | Unassigned | |
138 | UDP | NETBIOS Datagram Service | NETBIOS-DGM |
138 | TCP | Unassigned | |
139 | UDP | NETBIOS Session Service | NETBIOS-SSN |
144 | TCP | NeWS | Well-Known |
161 | TCP & UDP | Simple Network Mgmt. Protocol Q/R | SNMP |
162 | TCP & UDP | SNMP Event Traps | SNMP-TRAP |
177 | UDP | X Display Manager Control Protocol | xdmcp |
179 | TCP & UDP | Border Gateway Protocol (BGP) | Well-Known |
194 | TCP & UDP | Internet Relay Chat | IRC |
195 | UDP | DNSIX security protocol auditing | Dnsix |
389 | TCP & UDP | Lightweight Directory Access Protocol | LDAP |
434 | UDP | Mobile IP Registration | Mobile-ip |
512 | TCP | UNIX rexec (Control) | rexec |
513 | TCP & UDP | UNIX rlogin | rlogin |
514 | TCP & UDP | UNIX rsh and rcp, Remote Commands | rsh |
514 | TCP | System Logging | Syslog |
515 | TCP | UNIX Line Printer Remote Spooling | printer |
517 | TCP & UDP | Two User Interactiontalk | Well-Known |
518 | TCP & UDP | ntalk | Well-Known |
520 | UDP | Routing Information Protocol | RIP |
525 | UDP | Time Server | timed |
540 | TCP | UNIX-to-UNIX copy program daemon | uucpd |
543 | TCP | Kerberos login | klogin |
544 | TCP | Kerberos shell | kshell |
1993 | TCP | SNMP over TCP | |
2000 | TCP & UDP | Open Windows | Well-Known |
2001 | | Auxiliary (AUX) port | |
2049 | UDP | Network File System (NFS) | Well-Known |
4001 | | Auxiliary (AUX) port (stream) | |
6000 | TCP & UDP | X11 (X Windows) | Well-Known |
|