From owner-freebsd-security Mon Nov 27 8:22:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 0164237B4D7; Mon, 27 Nov 2000 08:22:22 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 140JAh-0000G6-00; Mon, 27 Nov 2000 00:57:55 -0700 Message-ID: <3A221402.D88321D8@softweyr.com> Date: Mon, 27 Nov 2000 00:57:54 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: Doug Barton , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > allow udp from any to any out > > > But that's for my private home network. I trust myself to only send out > > useful, productive packets. :) > > I must admit to being puzzled by home firewalls, at least among this > group of people. If you've got some promiscuous operating system from > Washington State running, I can somewhat understand doing that. If > you just have a single machine, which is under your direct control, > then doing packet filtering is just silly. If your machine is My "machine"? You certainly don't understand my basement/network operating center, which includes a mixture of Free/Net/OpenBSD, Solaris, various Windows, and a lone Atari 520ST. OK, so the Atari isn't really on the network. > properly configured and secured, filtering out packets which would > otherwise be thrown away anyway serves no useful purpose. (If the > bandwidth potentially wasted matters to you, that's a problem you have > to deal with at the upstream side anyway.) Since I have T-1 speeds coming into said basement, it is entirely likely that somebody may notice and attempt to hijack one or more of my machines to use in a DDOS attack. In fact, somebody already has tried. And failed. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message