Date: Wed, 20 Jun 2001 23:50:03 -0700 (PDT) From: La Place <a_trans2001@yahoo.com> To: freebsd-security@freebsd.org Subject: Re: IPFilter and security Message-ID: <20010621065003.21247.qmail@web14810.mail.yahoo.com> In-Reply-To: <20010620215300.C740@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
You can use ipf to do egress filtering, kinda a good thing for your network ;). only allow src/dst IPs that you want, reducing spoofed traffic and wasted bandwidth. it is always good to do egress filtering ;)..even @ ur host. bruce\ --- "Crist J. Clark" <cristjc@earthlink.net> wrote: > On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > > Hi folks, > > What do we think about installing IPFilter on non-gateway boxes > > and using it to block all incoming traffic except for whatever ports > > we want to use on our server (e.g., http, ftp)? > > Well, "we" (OK, just me) think that it depends entirely on the purpose > of the box and your local security policies. There is no "right" > answer. But some two things to consider: > > If you have locked down services on a box and then firewall but allow > access to these services, what are you protecting? What does the > firewall actually do to hamper a remote attacker? It really does not > add anything. However, closing up all services is not as easy as it > sounds and a firewall is an extra layer of protection against mistakes > in locking them down. IMHO, unless the box is security critical, the > administrative costs of all of the firewalling probably exceeds the > security gain for resisting external attack. > > However, a firewall in this situation might protect you more from > _local_ users. That is, local users cannot start listening daemons on > high ports on their own. Again, depending on the site policy, this may > be good or bad. If policy is that users are trusted and _should_ be > able to do things like that, firewalling is bad. OTOH, if users are > less trusted and policy forbids these things, firewalling is the best > way to stop it. > > $0.02 for ya'. > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010621065003.21247.qmail>