Date: Fri, 13 Sep 2002 10:16:27 +1000 From: Mark.Andrews@isc.org To: Jason Stone <jason-fbsd-security@shalott.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? Message-ID: <200209130016.g8D0GRB5032397@drugs.dv.isc.org> In-Reply-To: Your message of "Thu, 12 Sep 2002 15:42:11 MST." <20020912152423.M3276-100000@walter>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > Having the firewall permit such packets and counting on the client to > > > correctly discard them is probably a bad idea - after all, if you trust > > > the clients to run a properly configured and non-broken OS, why have a > > > firewall at all? > > > > Defense in depth. > > Yes, that's exactly my point - you are advocating that we have the > firewall permit more than we need to and trust the clients. I'm saying > that of course you try to do as good a job securing the clients as you > can, but you also have the firewall be as restrictive as possible so that > you're trusting the clients as little as possible. > > > > What happens if the packets don't go through the dynamic firewall? Or > > are sent in response to an internal request and dynamicly permitted > > through? > > > Presuming that you should permit responses to internal requests because > > internally-initiated requests are supposed to be "safer" is an assumption > > that I question. > > We are not presuming anything of the kind - obviously, any packets that > you mean to deny you set up deny rules for. We are talking about > a situation where you want to allow a particular outbound service. With > your ruleset, you are allowing packets back into the internal network that > should never be allowed in there. With a ruleset that involves > keep/check-state, you have the same semantics in terms of what you mean to > allow, but you deny more packets that shouldn't be allowed. And if you're > only setting keep-state on the rules allowing the outbound setup packets, > you probably don't have to worry about DoS. > > We're replacing: > > allow tcp from $INET to any 22 setup > allow tcp from any 22 to $INET established > > with > > check-state > allow tcp from $INET to any 22 setup keep-state > > > -Jason Note: keep-state works well with protocols that are chatty. 'ssh' is not chatty. You need to adjust the timeouts to support ssh otherwise the rules will timeout. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209130016.g8D0GRB5032397>