Date: Fri, 18 Apr 2008 16:59:07 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Paul Schmehl <pauls@utdallas.edu> Cc: Gary Newcombe <gary@pattersonsoftware.com>, freebsd-questions@freebsd.org Subject: Re: [SSHd] Limiting access from authorized IP's Message-ID: <4808C54B.1090403@infracaninophile.co.uk> In-Reply-To: <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
Paul Schmehl wrote:
> I have maintained publicly available servers for a small hobby domain
> for almost ten years now. Initially, I bought in to this logic and ran
> a firewall. (At that time we only had one server.) What it cost me was
> CPU and memory. What it gained me was nothing. I turned it off. I have
> never run a firewall on a publicly available host since.
>
> Firewalls are for preventing access to running services. By definition,
> if you are running a service, you want it to be accessed. So firewalls
> are self-defeating or completely useless at the host level **unless**
> you don't know what you're doing. For an enterprise they make a great
> deal of sense. No matter what a user inside your network might do, you
> can prevent access by simply not allowing traffic on that port.
On the whole I agree with you -- you should be able to view a firewall as
a luxury rather than a necessity on a well configured server. However there
is one rather nasty loophole that you can block with a firewall which otherwise
is pretty impossible to deal with, at least on FreeBSD machines.
It's all to do with the weak routing model -- that is, a network packet to
an IP on one of a host's interfaces will be accepted on *any* interface on
that host[*]. So even though you protect services that are not meant to be
for public consumption by binding them to the loopback address, some one
can still send you a spoofed packet to 127.0.0.1 that arrives on your external
network i/f /and it will let you connect to the service bound to the loopback/
The attacker has to have access to the same layer 2 network as your host,
but sending the spoofed packet is as simple as tweaking the routing table.
See eg:
http://seclists.org/bugtraq/2001/Mar/0042.html
Blocking this sort of attack against the loopback address can be done with
the following 3 line PF firewall config. Extending this to back-end networks
etc. is left as an exercise for the student:
scrub in all
pass all
antispoof log quick for lo0
Cheers,
Matthew
[*] Which is not without its legitimate uses, as anyone who as ever configured
a load balancer using DSR mode will attest.
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkgIxVEACgkQ8Mjk52CukIx5qACgkdyvPttYILCCfSnDYf6XJpnW
jtwAnipCBISu3uFk++dV2ETGxQ+xsYi1
=0Vpz
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4808C54B.1090403>