From owner-freebsd-security Wed Jun 20 23:50: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from web14810.mail.yahoo.com (web14810.mail.yahoo.com [216.136.224.231]) by hub.freebsd.org (Postfix) with SMTP id E693C37B401 for ; Wed, 20 Jun 2001 23:50:03 -0700 (PDT) (envelope-from a_trans2001@yahoo.com) Message-ID: <20010621065003.21247.qmail@web14810.mail.yahoo.com> Received: from [24.248.85.196] by web14810.mail.yahoo.com; Wed, 20 Jun 2001 23:50:03 PDT Date: Wed, 20 Jun 2001 23:50:03 -0700 (PDT) From: La Place Subject: Re: IPFilter and security To: freebsd-security@freebsd.org In-Reply-To: <20010620215300.C740@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can use ipf to do egress filtering, kinda a good thing for your network ;). only allow src/dst IPs that you want, reducing spoofed traffic and wasted bandwidth. it is always good to do egress filtering ;)..even @ ur host. bruce\ --- "Crist J. Clark" wrote: > On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > > Hi folks, > > What do we think about installing IPFilter on non-gateway boxes > > and using it to block all incoming traffic except for whatever ports > > we want to use on our server (e.g., http, ftp)? > > Well, "we" (OK, just me) think that it depends entirely on the purpose > of the box and your local security policies. There is no "right" > answer. But some two things to consider: > > If you have locked down services on a box and then firewall but allow > access to these services, what are you protecting? What does the > firewall actually do to hamper a remote attacker? It really does not > add anything. However, closing up all services is not as easy as it > sounds and a firewall is an extra layer of protection against mistakes > in locking them down. IMHO, unless the box is security critical, the > administrative costs of all of the firewalling probably exceeds the > security gain for resisting external attack. > > However, a firewall in this situation might protect you more from > _local_ users. That is, local users cannot start listening daemons on > high ports on their own. Again, depending on the site policy, this may > be good or bad. If policy is that users are trusted and _should_ be > able to do things like that, firewalling is bad. OTOH, if users are > less trusted and policy forbids these things, firewalling is the best > way to stop it. > > $0.02 for ya'. > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message