Date: Fri, 18 Apr 2008 16:59:07 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Paul Schmehl <pauls@utdallas.edu> Cc: Gary Newcombe <gary@pattersonsoftware.com>, freebsd-questions@freebsd.org Subject: Re: [SSHd] Limiting access from authorized IP's Message-ID: <4808C54B.1090403@infracaninophile.co.uk> In-Reply-To: <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig0ACD4498513F7F18192BCBFA
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Paul Schmehl wrote:
> I have maintained publicly available servers for a small hobby domain=20
> for almost ten years now. Initially, I bought in to this logic and ran=
=20
> a firewall. (At that time we only had one server.) What it cost me was=
=20
> CPU and memory. What it gained me was nothing. I turned it off. I hav=
e=20
> never run a firewall on a publicly available host since.
>=20
> Firewalls are for preventing access to running services. By definition=
,=20
> if you are running a service, you want it to be accessed. So firewalls=
=20
> are self-defeating or completely useless at the host level **unless**=20
> you don't know what you're doing. For an enterprise they make a great =
> deal of sense. No matter what a user inside your network might do, you=
=20
> can prevent access by simply not allowing traffic on that port.
On the whole I agree with you -- you should be able to view a firewall as=
a luxury rather than a necessity on a well configured server. However th=
ere
is one rather nasty loophole that you can block with a firewall which oth=
erwise
is pretty impossible to deal with, at least on FreeBSD machines.
It's all to do with the weak routing model -- that is, a network packet t=
o
an IP on one of a host's interfaces will be accepted on *any* interface o=
n
that host[*]. So even though you protect services that are not meant to =
be
for public consumption by binding them to the loopback address, some one
can still send you a spoofed packet to 127.0.0.1 that arrives on your ext=
ernal
network i/f /and it will let you connect to the service bound to the loop=
back/
The attacker has to have access to the same layer 2 network as your host,=
but sending the spoofed packet is as simple as tweaking the routing table=
=2E
See eg:=20
http://seclists.org/bugtraq/2001/Mar/0042.html
Blocking this sort of attack against the loopback address can be done wit=
h
the following 3 line PF firewall config. Extending this to back-end netw=
orks
etc. is left as an exercise for the student:
scrub in all
pass all
antispoof log quick for lo0
Cheers,
Matthew
[*] Which is not without its legitimate uses, as anyone who as ever confi=
gured
a load balancer using DSR mode will attest.
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig0ACD4498513F7F18192BCBFA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkgIxVEACgkQ8Mjk52CukIx5qACgkdyvPttYILCCfSnDYf6XJpnW
jtwAnipCBISu3uFk++dV2ETGxQ+xsYi1
=0Vpz
-----END PGP SIGNATURE-----
--------------enig0ACD4498513F7F18192BCBFA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4808C54B.1090403>