Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 Aug 2001 09:39:47 +0200 (CEST)
From:      Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To:        default - Subscriptions <default013subscriptions@hotmail.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Question about default IPFW Rules...
Message-ID:  <Pine.BSF.4.21.0108150910020.1666-100000@lhotse.zaraska.dhs.org>
In-Reply-To: <OE35Fur2iz2Mb1s7nlT0000ba58@hotmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 14 Aug 2001, default - Subscriptions wrote:

> I have a question about this rule in the default rc.firewall script:
> 
>         # Allow any traffic to or from my own net
>         ${fwcmd} add pass all from ${ip} to ${net}:${mask}
>         ${fwcmd} add pass all from ${net}:${mask} to ${ip}
> 
> If one is on a cable/dsl connection like @home, wouldn't this rule supercede
> all other rules and let any traffic in from my I.P. address range? (given
> that example I.P. is 192.168.0.3, and netmask is 255.255.255.0)
It would. _First mathing rule wins_.

> I am concerned with this because I do have hackers in my range that have
> been trying to get in...
Well... /etc/rc.firewall contains just "typical" rulesets and they SHOULD
be customized...

The "CLIENT" ruleset is built based on the following assumption "local
network is friendly, rest of the world is not". This makes a lot of
sense: for example if you're inside a company which has a class C address
block you'd normally allow all access from this block (your colleague at
the next desk won't break in), right?

However you are also on class C subnet, yet your network neighbors are
"untrusted". So, as you said, they need to be denied access similarly to
the rest of the world. 

IMPORTANT: The netmask in /etc/rc.firewall DOES NOT affect your routing
configuration. It is used because of assumption that "local net
is friendly" described above.

> Is there a better way to do this? 
Standard approach is "deny by default": deny everyone, ALLOW friends.
This is more convenient then trying to determine who may want to break in
and who may not. 

> Or would you guys suggest removing this
> rule completely? (I have not tried this yet...)
The rule may be safely removed (commenting out is more convenient).
In your case, should be.

> I am on an @home connection with two I.P. addresses bound to my NIC. they
> are both in the same range (ex. 192.168.0.3 and 192.168.0.4) ... the gateway
> is 192.168.0.1...
So you have to cover both in your ruleset but I guess you've already done
so. 
 
> I was thinking maybe I could limit this to traffic with my gateway and my
> own I.P. addresses, as I have provided other rules for things like DNS ...
IMHO you should set limits both on the firewall and services. This is
somewhat a concept of multi-layered defence. If your firewall is disabled
for some reason (debuging ruleset etc.) you'll still have some protection.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0108150910020.1666-100000>