From owner-freebsd-questions@FreeBSD.ORG Fri Apr 18 15:59:24 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F351C1065672 for ; Fri, 18 Apr 2008 15:59:23 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 654178FC1B for ; Fri, 18 Apr 2008 15:59:23 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m3IFxDMX065882; Fri, 18 Apr 2008 16:59:14 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.5.3 smtp.infracaninophile.co.uk m3IFxDMX065882 Message-ID: <4808C54B.1090403@infracaninophile.co.uk> Date: Fri, 18 Apr 2008 16:59:07 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.12 (X11/20080310) MIME-Version: 1.0 To: Paul Schmehl References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> In-Reply-To: <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig0ACD4498513F7F18192BCBFA" X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Fri, 18 Apr 2008 16:59:15 +0100 (BST) X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,NO_RELAYS autolearn=ham version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on happy-idiot-talk.infracaninophile.co.uk Cc: Gary Newcombe , freebsd-questions@freebsd.org Subject: Re: [SSHd] Limiting access from authorized IP's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2008 15:59:24 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig0ACD4498513F7F18192BCBFA Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Paul Schmehl wrote: > I have maintained publicly available servers for a small hobby domain=20 > for almost ten years now. Initially, I bought in to this logic and ran= =20 > a firewall. (At that time we only had one server.) What it cost me was= =20 > CPU and memory. What it gained me was nothing. I turned it off. I hav= e=20 > never run a firewall on a publicly available host since. >=20 > Firewalls are for preventing access to running services. By definition= ,=20 > if you are running a service, you want it to be accessed. So firewalls= =20 > are self-defeating or completely useless at the host level **unless**=20 > you don't know what you're doing. For an enterprise they make a great = > deal of sense. No matter what a user inside your network might do, you= =20 > can prevent access by simply not allowing traffic on that port. On the whole I agree with you -- you should be able to view a firewall as= a luxury rather than a necessity on a well configured server. However th= ere is one rather nasty loophole that you can block with a firewall which oth= erwise is pretty impossible to deal with, at least on FreeBSD machines. It's all to do with the weak routing model -- that is, a network packet t= o an IP on one of a host's interfaces will be accepted on *any* interface o= n that host[*]. So even though you protect services that are not meant to = be for public consumption by binding them to the loopback address, some one can still send you a spoofed packet to 127.0.0.1 that arrives on your ext= ernal network i/f /and it will let you connect to the service bound to the loop= back/ The attacker has to have access to the same layer 2 network as your host,= but sending the spoofed packet is as simple as tweaking the routing table= =2E See eg:=20 http://seclists.org/bugtraq/2001/Mar/0042.html Blocking this sort of attack against the loopback address can be done wit= h the following 3 line PF firewall config. Extending this to back-end netw= orks etc. is left as an exercise for the student: scrub in all pass all antispoof log quick for lo0 Cheers, Matthew [*] Which is not without its legitimate uses, as anyone who as ever confi= gured a load balancer using DSR mode will attest. --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig0ACD4498513F7F18192BCBFA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkgIxVEACgkQ8Mjk52CukIx5qACgkdyvPttYILCCfSnDYf6XJpnW jtwAnipCBISu3uFk++dV2ETGxQ+xsYi1 =0Vpz -----END PGP SIGNATURE----- --------------enig0ACD4498513F7F18192BCBFA--