From owner-freebsd-security Thu Jun 21 2:35:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id E826837B407 for ; Thu, 21 Jun 2001 02:35:50 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 9946 invoked by uid 1000); 21 Jun 2001 09:34:17 -0000 Date: Thu, 21 Jun 2001 12:34:17 +0300 From: Peter Pentchev To: cjclark@alum.mit.edu Cc: Malcolm , freebsd-security@FreeBSD.ORG Subject: Re: IPFilter and security Message-ID: <20010621123417.D772@ringworld.oblivion.bg> Mail-Followup-To: cjclark@alum.mit.edu, Malcolm , freebsd-security@FreeBSD.ORG References: <20010620215300.C740@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010620215300.C740@blossom.cjclark.org>; from cristjc@earthlink.net on Wed, Jun 20, 2001 at 09:53:00PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 20, 2001 at 09:53:00PM -0700, Crist J. Clark wrote: > On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > > Hi folks, > > What do we think about installing IPFilter on non-gateway boxes > > and using it to block all incoming traffic except for whatever ports > > we want to use on our server (e.g., http, ftp)? > > Well, "we" (OK, just me) think that it depends entirely on the purpose > of the box and your local security policies. There is no "right" > answer. But some two things to consider: > > If you have locked down services on a box and then firewall but allow > access to these services, what are you protecting? What does the > firewall actually do to hamper a remote attacker? It really does not > add anything. However, closing up all services is not as easy as it > sounds and a firewall is an extra layer of protection against mistakes > in locking them down. IMHO, unless the box is security critical, the > administrative costs of all of the firewalling probably exceeds the > security gain for resisting external attack. > > However, a firewall in this situation might protect you more from > _local_ users. That is, local users cannot start listening daemons on > high ports on their own. Again, depending on the site policy, this may > be good or bad. If policy is that users are trusted and _should_ be > able to do things like that, firewalling is bad. OTOH, if users are > less trusted and policy forbids these things, firewalling is the best > way to stop it. Well, there is this little matter of never really being sure you've locked down services on a box.. A firewall might help if a remote user were to suddenly become a local user, in which case the arguments in your last paragraph hold :) G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message