Date: Sun, 24 Feb 2002 03:06:01 -0500 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: Jeff Palmer <scorpio@drkshdw.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Couple of concerns with default rc.firewall Message-ID: <20020224030601.A24528@cowbert.2y.net> In-Reply-To: <003b01c1bcda$d4f06020$0286a8c0@home.lan>; from scorpio@drkshdw.org on Sat, Feb 23, 2002 at 09:27:39PM -0500 References: <003b01c1bcda$d4f06020$0286a8c0@home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Some people prefer to block all ICMP, but personally, I do not support that line of thought, because blocking ICMP breaks routing RFCs. Furthermore, although people can't say, ping your box, they can still dos the machine by overwhelming the ipfw rules. On Sat, Feb 23, 2002 at 09:27:39PM -0500, Jeff Palmer wrote: > Hi all. > > I have a few concerns with the default /etc/rc.firewall. > It's fairly common practice (and typically considered to be the most secure practice) to build a default-to-deny firewall. Only traffic that yous pecifically allow, can pass. > > Taking this into consideration, I checked 'man firewall' and find that it too, agrees with the above. > > Having said that... is where we get into my problem. > I compile my kernel with ipfw support. Without the default_to_allow. and use a slightly modified "simple" configuration. This, by default denies all incoming icmp. > So, I again referred back to 'man firewall' and again, it agrees with my thinking.. Certain ICMP types are beneficial, and should not be denied (especially considering most users probably aren't "into" security so they use a default firewall if any at all.) > > Is there any reason in particular, that ALL icmp traffic is denied by default, except for using the 'open' ruleset? > Or is this just a simple oversight, that needs to be examined? > > Thanks in advance for any feedback. > Also, thanks for NOT flaming me if I've missed something obvious. > -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020224030601.A24528>