From owner-freebsd-security Wed Aug 15 0:40:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id AAE2437B409 for ; Wed, 15 Aug 2001 00:40:36 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 91B361D14; Wed, 15 Aug 2001 09:39:49 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id EECBC552A; Wed, 15 Aug 2001 09:39:48 +0200 (CEST) Date: Wed, 15 Aug 2001 09:39:47 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: default - Subscriptions Cc: freebsd-security@FreeBSD.ORG Subject: Re: Question about default IPFW Rules... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 14 Aug 2001, default - Subscriptions wrote: > I have a question about this rule in the default rc.firewall script: > > # Allow any traffic to or from my own net > ${fwcmd} add pass all from ${ip} to ${net}:${mask} > ${fwcmd} add pass all from ${net}:${mask} to ${ip} > > If one is on a cable/dsl connection like @home, wouldn't this rule supercede > all other rules and let any traffic in from my I.P. address range? (given > that example I.P. is 192.168.0.3, and netmask is 255.255.255.0) It would. _First mathing rule wins_. > I am concerned with this because I do have hackers in my range that have > been trying to get in... Well... /etc/rc.firewall contains just "typical" rulesets and they SHOULD be customized... The "CLIENT" ruleset is built based on the following assumption "local network is friendly, rest of the world is not". This makes a lot of sense: for example if you're inside a company which has a class C address block you'd normally allow all access from this block (your colleague at the next desk won't break in), right? However you are also on class C subnet, yet your network neighbors are "untrusted". So, as you said, they need to be denied access similarly to the rest of the world. IMPORTANT: The netmask in /etc/rc.firewall DOES NOT affect your routing configuration. It is used because of assumption that "local net is friendly" described above. > Is there a better way to do this? Standard approach is "deny by default": deny everyone, ALLOW friends. This is more convenient then trying to determine who may want to break in and who may not. > Or would you guys suggest removing this > rule completely? (I have not tried this yet...) The rule may be safely removed (commenting out is more convenient). In your case, should be. > I am on an @home connection with two I.P. addresses bound to my NIC. they > are both in the same range (ex. 192.168.0.3 and 192.168.0.4) ... the gateway > is 192.168.0.1... So you have to cover both in your ruleset but I guess you've already done so. > I was thinking maybe I could limit this to traffic with my gateway and my > own I.P. addresses, as I have provided other rules for things like DNS ... IMHO you should set limits both on the firewall and services. This is somewhat a concept of multi-layered defence. If your firewall is disabled for some reason (debuging ruleset etc.) you'll still have some protection. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message