From owner-freebsd-stable Mon Feb 26 06:22:15 1996 Return-Path: owner-stable Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id GAA21117 for stable-outgoing; Mon, 26 Feb 1996 06:22:15 -0800 (PST) Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id GAA21096 Mon, 26 Feb 1996 06:22:11 -0800 (PST) Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0tr3oX-0003wSC; Mon, 26 Feb 96 06:22 PST Received: from localhost.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.6.12/8.6.12) with SMTP id PAA11521; Mon, 26 Feb 1996 15:22:10 +0100 X-Authentication-Warning: critter.tfs.com: Host localhost.tfs.com didn't use HELO protocol To: michael butler cc: stable@freebsd.org, current@freebsd.org Subject: Re: -stable hangs at boot (fwd) In-reply-to: Your message of "Tue, 27 Feb 1996 01:05:48 +1100." <199602261405.BAA09438@asstdc.scgt.oz.au> Date: Mon, 26 Feb 1996 15:22:08 +0100 Message-ID: <11519.825344528@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-stable@freebsd.org Precedence: bulk > Poul-Henning Kamp writes: > > > Well, this happens to be your view. I know machines where IPFW are being > > used to restrict what users on the machine can do, this is only possible > > if you filter >ALL< traffic, to and from the machine. > > OK .. but, personally, I wouldn't call or attempt to use those boxes as > firewalls .. any "sensitive" firewall/filtering router I have control over > has two valid accounts which have any access at all, mine and one other, > with limited privilege, for daily monitoring. No users == much reduced risk. I agree, I'd do that too. However, that is all a question of what your policy is. The IPFW, should not affect your policy, but merely be able to implement it. > If security is _that_ important, investing in a dedicated box to do the job > is cheap at triple the price :-) depends, sometimes other things are of some importance too :-) > > The IPFW is not a policy, it's a tool to implement policies. As such it > > needs to be able to implement the widest possible range of policies. > > I can see where you're coming from .. but this behaviour caught me out > because it is unusual and I'm sure it'll catch many others :-(. I'm sure about that too, that is really too bad :-( However, the reason why I'm in this business right now was that a (by now documented) criminal person gained access through a FreeBSD firewall, even though the filters claimed that it wasn't possible. This was not something I could have sitting on my shoulders as a security supplier. I decided to fix it once and for all, so that the policy would be entirely in the hands of the sysadmin, rather than some of it being done in a very obscure piece of code. Security will always require people to know what they do, unfortunately. > > You should be on -committers if you run -stable or -current. If you were, > > you would have seen it. > > If I could get half-way through the stuff I'm obliged to read now .. Talk to me about it... Ohh, and don't forget to read >all< of Terrys emails :-) Now, how about you check out the ipfw.8 from -current and send me your comments, and possibly a couple of good commented rule-sets for the doc, then I'll make sure the kernel-code does what we want it to and what we think ? -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.