Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Apr 2008 12:03:55 -0500
From:      Erik Osterholm <freebsd-lists-erik@erikosterholm.org>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: [SSHd] Limiting access from authorized IP's
Message-ID:  <20080418170355.GA94092@aleph.cepheid.org>
In-Reply-To: <4808C54B.1090403@infracaninophile.co.uk>
References:  <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> <4808C54B.1090403@infracaninophile.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 18, 2008 at 04:59:07PM +0100, Matthew Seaman wrote:
> Paul Schmehl wrote:
> 
> >I have maintained publicly available servers for a small hobby
> >domain for almost ten years now.  Initially, I bought in to this
> >logic and ran a firewall. (At that time we only had one server.)
> >What it cost me was CPU and memory. What it gained me was nothing.
> >I turned it off.  I have never run a firewall on a publicly
> >available host since.
> >
> >Firewalls are for preventing access to running services.  By
> >definition, if you are running a service, you want it to be
> >accessed.  So firewalls are self-defeating or completely useless at
> >the host level **unless** you don't know what you're doing.  For an
> >enterprise they make a great deal of sense.  No matter what a user
> >inside your network might do, you can prevent access by simply not
> >allowing traffic on that port.
> 
> On the whole I agree with you -- you should be able to view a
> firewall as a luxury rather than a necessity on a well configured
> server.  However there is one rather nasty loophole that you can
> block with a firewall which otherwise is pretty impossible to deal
> with, at least on FreeBSD machines.
> 
> It's all to do with the weak routing model -- that is, a network
> packet to an IP on one of a host's interfaces will be accepted on
> *any* interface on that host[*].  So even though you protect
> services that are not meant to be for public consumption by binding
> them to the loopback address, some one can still send you a spoofed
> packet to 127.0.0.1 that arrives on your external network i/f /and
> it will let you connect to the service bound to the loopback/ The
> attacker has to have access to the same layer 2 network as your
> host, but sending the spoofed packet is as simple as tweaking the
> routing table.  See eg: 
> 
>    http://seclists.org/bugtraq/2001/Mar/0042.html
> 
> Blocking this sort of attack against the loopback address can be
> done with the following 3 line PF firewall config.  Extending this
> to back-end networks etc. is left as an exercise for the student:
 
>   scrub in all
>   pass all
>   antispoof log quick for lo0
> 
> 	Cheers,
> 
> 	Matthew
 
> [*] Which is not without its legitimate uses, as anyone who as ever
> configured a load balancer using DSR mode will attest.


I don't think that it's enough to say that this is the only case where
a firewall is useful.  Modern firewalls can do simple DOS protection,
and on a multi-user system, they can prevent services from being
started by your users.  Egress firewalls on servers can stop
unprivileged user compromises from wreaking havoc on external hosts.
I'm sure that are other circumstances where a firewall is useful.

Now I believe that there are other ways to address the above
requirements, but they may require tradeoffs.  mac_portacl allows
restricting binding of ports (though I've never actually heard of
anyone using it--this alone may be a reason ot go with a more
tride-and-true solution.)  This, however, requires compiling a custom
kernel, which may be undesirable for other reasons.

Erik



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080418170355.GA94092>