From owner-freebsd-security Mon Nov 27 12:11:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 6EE3B37B479 for ; Mon, 27 Nov 2000 12:11:27 -0800 (PST) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA07977; Mon, 27 Nov 2000 13:10:59 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id NAA26835; Mon, 27 Nov 2000 13:10:52 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14882.49100.131730.989201@nomad.yogotech.com> Date: Mon, 27 Nov 2000 13:10:52 -0700 (MST) To: Wes Peters Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) In-Reply-To: <3A221402.D88321D8@softweyr.com> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > allow udp from any to any out > > > > > But that's for my private home network. I trust myself to only send out > > > useful, productive packets. :) > > > > I must admit to being puzzled by home firewalls, at least among this > > group of people. Because many of these 'homes' have full-time connections, which are constantly scanned for weaknesses. > > If you've got some promiscuous operating system from > > Washington State running, I can somewhat understand doing that. Even FreeBSD (*gasp*) has security problems, especially older releases and/or misconfigured releases. Unless you want to upgrade every system in your network everytime a new security issue is found (and known), it's better to have a policy that minimizes risks, which includes a firewall. > > If > > you just have a single machine, which is under your direct control, > > then doing packet filtering is just silly. If your machine is I disagree completely. > > properly configured and secured, filtering out packets which would > > otherwise be thrown away anyway serves no useful purpose. Sure, but who determines if the packets are going to be thrown out, if not a firewall? Your upstream provider? Most decent ISP's are not into content-filtering your packets, so if you are silly enough to run something (accidentally or on purpose) then the packets will get out. > Since I have T-1 speeds coming into said basement, it is entirely likely > that somebody may notice and attempt to hijack one or more of my machines > to use in a DDOS attack. In fact, somebody already has tried. And failed. Only once? I'm scanned 3-4 times/day, and weekly get script kiddies attempting to do remote exploits. Having been responsible for monitoring a box on the internet full-time since '94, I can't imagine *NOT* using a firewall if you have a full-time connection, static IP or not. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message