Priority
Low
Description
Current port filtering implementation could be strengthened by using an explicit NAT blacklist for dangerous ports rather than relying solely on ACL filtering.
Impact
- Severity: Low
- Attack Vector: Bypass of ACL filtering in edge cases
- Risk: Access to dangerous ports if ACL fails
Proposed Solution
Implement explicit iptables NAT rules to blacklist dangerous ports:
# Block dangerous ports in NAT PREROUTING
iptables -t nat -A PREROUTING -p tcp --dport 22 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 3306 -j RETURN
# ... etc
This provides defense-in-depth beyond Squid ACL filtering.
Effort Estimate
~2 hours
References
Priority
Low
Description
Current port filtering implementation could be strengthened by using an explicit NAT blacklist for dangerous ports rather than relying solely on ACL filtering.
Impact
Proposed Solution
Implement explicit iptables NAT rules to blacklist dangerous ports:
This provides defense-in-depth beyond Squid ACL filtering.
Effort Estimate
~2 hours
References
containers/agent/setup-iptables.sh