From owner-freebsd-questions@FreeBSD.ORG Fri Apr 18 17:03:56 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93718106566B for ; Fri, 18 Apr 2008 17:03:56 +0000 (UTC) (envelope-from erik@cepheid.org) Received: from mail.cepheid.org (aleph.cepheid.org [72.232.60.94]) by mx1.freebsd.org (Postfix) with ESMTP id 5CB238FC20 for ; Fri, 18 Apr 2008 17:03:56 +0000 (UTC) (envelope-from erik@cepheid.org) Received: by mail.cepheid.org (Postfix, from userid 1006) id E29819B4003; Fri, 18 Apr 2008 12:03:55 -0500 (CDT) Date: Fri, 18 Apr 2008 12:03:55 -0500 From: Erik Osterholm To: Matthew Seaman Message-ID: <20080418170355.GA94092@aleph.cepheid.org> Mail-Followup-To: Erik Osterholm , Matthew Seaman , freebsd-questions@freebsd.org References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> <4808C54B.1090403@infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4808C54B.1090403@infracaninophile.co.uk> User-Agent: Mutt/1.4.2.3i Cc: freebsd-questions@freebsd.org Subject: Re: [SSHd] Limiting access from authorized IP's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2008 17:03:56 -0000 On Fri, Apr 18, 2008 at 04:59:07PM +0100, Matthew Seaman wrote: > Paul Schmehl wrote: > > >I have maintained publicly available servers for a small hobby > >domain for almost ten years now. Initially, I bought in to this > >logic and ran a firewall. (At that time we only had one server.) > >What it cost me was CPU and memory. What it gained me was nothing. > >I turned it off. I have never run a firewall on a publicly > >available host since. > > > >Firewalls are for preventing access to running services. By > >definition, if you are running a service, you want it to be > >accessed. So firewalls are self-defeating or completely useless at > >the host level **unless** you don't know what you're doing. For an > >enterprise they make a great deal of sense. No matter what a user > >inside your network might do, you can prevent access by simply not > >allowing traffic on that port. > > On the whole I agree with you -- you should be able to view a > firewall as a luxury rather than a necessity on a well configured > server. However there is one rather nasty loophole that you can > block with a firewall which otherwise is pretty impossible to deal > with, at least on FreeBSD machines. > > It's all to do with the weak routing model -- that is, a network > packet to an IP on one of a host's interfaces will be accepted on > *any* interface on that host[*]. So even though you protect > services that are not meant to be for public consumption by binding > them to the loopback address, some one can still send you a spoofed > packet to 127.0.0.1 that arrives on your external network i/f /and > it will let you connect to the service bound to the loopback/ The > attacker has to have access to the same layer 2 network as your > host, but sending the spoofed packet is as simple as tweaking the > routing table. See eg: > > http://seclists.org/bugtraq/2001/Mar/0042.html > > Blocking this sort of attack against the loopback address can be > done with the following 3 line PF firewall config. Extending this > to back-end networks etc. is left as an exercise for the student: > scrub in all > pass all > antispoof log quick for lo0 > > Cheers, > > Matthew > [*] Which is not without its legitimate uses, as anyone who as ever > configured a load balancer using DSR mode will attest. I don't think that it's enough to say that this is the only case where a firewall is useful. Modern firewalls can do simple DOS protection, and on a multi-user system, they can prevent services from being started by your users. Egress firewalls on servers can stop unprivileged user compromises from wreaking havoc on external hosts. I'm sure that are other circumstances where a firewall is useful. Now I believe that there are other ways to address the above requirements, but they may require tradeoffs. mac_portacl allows restricting binding of ports (though I've never actually heard of anyone using it--this alone may be a reason ot go with a more tride-and-true solution.) This, however, requires compiling a custom kernel, which may be undesirable for other reasons. Erik