Date: Thu, 21 Jun 2001 12:34:17 +0300 From: Peter Pentchev <roam@orbitel.bg> To: cjclark@alum.mit.edu Cc: Malcolm <malcolm@ocf.berkeley.edu>, freebsd-security@FreeBSD.ORG Subject: Re: IPFilter and security Message-ID: <20010621123417.D772@ringworld.oblivion.bg> In-Reply-To: <20010620215300.C740@blossom.cjclark.org>; from cristjc@earthlink.net on Wed, Jun 20, 2001 at 09:53:00PM -0700 References: <Pine.SOL.4.33.0106201809290.23365-100000@famine.OCF.Berkeley.EDU> <20010620215300.C740@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 20, 2001 at 09:53:00PM -0700, Crist J. Clark wrote: > On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > > Hi folks, > > What do we think about installing IPFilter on non-gateway boxes > > and using it to block all incoming traffic except for whatever ports > > we want to use on our server (e.g., http, ftp)? > > Well, "we" (OK, just me) think that it depends entirely on the purpose > of the box and your local security policies. There is no "right" > answer. But some two things to consider: > > If you have locked down services on a box and then firewall but allow > access to these services, what are you protecting? What does the > firewall actually do to hamper a remote attacker? It really does not > add anything. However, closing up all services is not as easy as it > sounds and a firewall is an extra layer of protection against mistakes > in locking them down. IMHO, unless the box is security critical, the > administrative costs of all of the firewalling probably exceeds the > security gain for resisting external attack. > > However, a firewall in this situation might protect you more from > _local_ users. That is, local users cannot start listening daemons on > high ports on their own. Again, depending on the site policy, this may > be good or bad. If policy is that users are trusted and _should_ be > able to do things like that, firewalling is bad. OTOH, if users are > less trusted and policy forbids these things, firewalling is the best > way to stop it. Well, there is this little matter of never really being sure you've locked down services on a box.. A firewall might help if a remote user were to suddenly become a local user, in which case the arguments in your last paragraph hold :) G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010621123417.D772>