From owner-freebsd-security Wed Jun 20 21:51:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.121.50]) by hub.freebsd.org (Postfix) with ESMTP id B90F837B406 for ; Wed, 20 Jun 2001 21:51:51 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.143.178.Dial1.SanJose1.Level3.net [209.247.143.178]) by avocet.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id VAA19844; Wed, 20 Jun 2001 21:51:41 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.3/8.11.3) id f5L4r0I00848; Wed, 20 Jun 2001 21:53:00 -0700 (PDT) (envelope-from cjc) Date: Wed, 20 Jun 2001 21:53:00 -0700 From: "Crist J. Clark" To: Malcolm Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter and security Message-ID: <20010620215300.C740@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from malcolm@ocf.berkeley.edu on Wed, Jun 20, 2001 at 06:18:33PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > Hi folks, > What do we think about installing IPFilter on non-gateway boxes > and using it to block all incoming traffic except for whatever ports > we want to use on our server (e.g., http, ftp)? Well, "we" (OK, just me) think that it depends entirely on the purpose of the box and your local security policies. There is no "right" answer. But some two things to consider: If you have locked down services on a box and then firewall but allow access to these services, what are you protecting? What does the firewall actually do to hamper a remote attacker? It really does not add anything. However, closing up all services is not as easy as it sounds and a firewall is an extra layer of protection against mistakes in locking them down. IMHO, unless the box is security critical, the administrative costs of all of the firewalling probably exceeds the security gain for resisting external attack. However, a firewall in this situation might protect you more from _local_ users. That is, local users cannot start listening daemons on high ports on their own. Again, depending on the site policy, this may be good or bad. If policy is that users are trusted and _should_ be able to do things like that, firewalling is bad. OTOH, if users are less trusted and policy forbids these things, firewalling is the best way to stop it. $0.02 for ya'. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message