Date: Wed, 15 Aug 2001 07:59:43 -0500 From: Lucas Bergman <lucas@slb.to> To: default - Subscriptions <default013subscriptions@hotmail.com> Cc: questions@freebsd.org Subject: Re: Question about default IPFW Rules... Message-ID: <20010815075943.D4491@comp04.prc.uic.edu> In-Reply-To: <OE35Fur2iz2Mb1s7nlT0000ba58@hotmail.com>; from default013subscriptions@hotmail.com on Tue, Aug 14, 2001 at 11:06:21PM -0500 References: <OE35Fur2iz2Mb1s7nlT0000ba58@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I have a question about this rule in the default rc.firewall script: > > # Allow any traffic to or from my own net > ${fwcmd} add pass all from ${ip} to ${net}:${mask} > ${fwcmd} add pass all from ${net}:${mask} to ${ip} In my copy of /usr/src/etc/rc.firewall, these rules only appear in the "client" firewall configuration; i.e., if you set firewall_type=client, you are saying implicitly that you trust your subnet. > If one is on a cable/dsl connection like @home, wouldn't this rule > supercede all other rules and let any traffic in from my > I.P. address range? (given that example I.P. is 192.168.0.3, and > netmask is 255.255.255.0) I have @Home, but I got a routable address. Lucky me, I guess. Provided the rules appeared sufficiently early in the configuration (which they do in the default "client" configuration in rc.firewall), then you're right. If you want to black-hole your subnet except for, say, your own addresses and your gateway, then you'll have to add that in. > I am concerned with this because I do have hackers in my range that > have been trying to get in... ^^^^^^^ You misspelled "crackers"... :) > Is there a better way to do this? Or would you guys suggest removing > this rule completely? (I have not tried this yet...) If you want to protect yourself more from people on 192.168.0/24 (other than you and your gateway), then you'll have to do something somewhat more complicated. Maybe look into one of the more complete firewall configurations that, say, drop TCP packets except for connections that you setup. (That, at least, stops many TCP-based attacks.) Lucas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010815075943.D4491>