From owner-freebsd-security Fri Dec 10 13:33:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from inago.swcp.com (inago.swcp.com [198.59.115.17]) by hub.freebsd.org (Postfix) with ESMTP id E252C15175 for ; Fri, 10 Dec 1999 13:33:39 -0800 (PST) (envelope-from synk@swcp.com) Received: (from synk@localhost) by inago.swcp.com (8.8.7/8.8.7) id OAA17684 for freebsd-security@FreeBSD.ORG; Fri, 10 Dec 1999 14:33:37 -0700 (MST) Date: Fri, 10 Dec 1999 14:33:37 -0700 (MST) From: Brendan Conoboy Message-Id: <199912102133.OAA17684@inago.swcp.com> To: freebsd-security@FreeBSD.ORG Subject: rc.firewall, ipf integration Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everyone, Back in freebsd 2.x, I used ipfw to build firewalls. When I went to freebsd 3.x, I started using ipf. I wish everybody used ipf, but very few people seem to have made the change. Part of the reason for this seems to be a lack of documentation, thus I embarked on writing the ipf howto. The howto is coming along nicely, but freebsd's support for ipf doesn't seem to have come along much at all. I'm refering specifically to the rc.conf and rc.firewall files. Recent and past posts alike have indicated that 1. People are hitting brick walls with ipfw: A recent discussion revolved around the problem of UDP and DNS. The problem was that the firewall had to be opened such that a remote DNS server is able to send packets to any UDP port by using a source address of 53. Using ipf as a filter can solve this by keeping UDP state. 2) rc.firewall is being taken seriously as an effective firewall: As a learning aid, rc.firewall isn't bad, but it's letting things in by default that it really shouldn't. I know people want to be able to turn on a service and have it go, and that's why at present rc.firewall lets in port 25, 53, 80, 123, but should it really be doing that if those services aren't running? Shouldn't ipf support be in rc.firewall too? 3) rc.firewall doesn't get its configuration from rc.conf: The beginning of each set of rules in rc.firewall requires the setup of what interface, network, netmask, and IP address, then goes on to assume what ports need to be blocked and passed. I know that a fine grain firewall requires all that information and it can't just be guessed at what interface to apply a rule to, but we could certainly change rc.firewall to only open port 25/tcp when sendmail_enable is YES and sendmail_flags contains -q[0-9]+[mh] (probably wrong, but you get the idea). The bottom line is, I'd like to see rc.firewall be more useful out of the box to ipfw and ipf users alike. Whether that means rc.firewall includes complex logic based on rc.conf, or rc.conf gets a new line like: firewall_allowin="tcp/25/tun0,udp/53,tcp/53,tcp/80" or both, it can definitely be better than it is. So I'm sending this mail out to ask how people would like it improved. I'm willing to do pretty much all of the work, particularly to get ipf integrated. What do people think needs to happen? -Brendan (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message