Date: Mon, 26 Feb 1996 08:43:14 -0600 (CST) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: imb@scgt.oz.au (michael butler) Cc: phk@critter.tfs.com, stable@freebsd.org, current@freebsd.org Subject: Re: -stable hangs at boot (fwd) Message-ID: <199602261443.IAA15422@brasil.moneng.mei.com> In-Reply-To: <199602261341.AAA09032@asstdc.scgt.oz.au> from "michael butler" at Feb 27, 96 00:41:15 am
next in thread | previous in thread | raw e-mail | index | archive | help
> Poul-Henning Kamp writes:
>
> > > If you ^C your way to a shell prompt, there's a single rule that's in
> > > the firewall list saying "deny all from any to any". Courtesy of the
> > > same recent brain-damage in ipfw(8), you can't delete this rule either
> > > ("setsockopt failed").
>
> > If you call this "brain-damage" then you quite clearly don't need IPFW.
>
> I call it "brain-damage" to render a machine unbootable because it can't
> "see" it's _own_ interfaces. AFAIK, firewalls by default prevent packets
> passing _through_ them but are themselves permitted to talk to anything they
> have a route to (the previous behaviour with a default policy of "deny"). A
> direct connection (interface in the same box) constitutes having a "route to".
Sorry, I quite vehemently disagree. In order to preserve any pretense of
being a firewall, the firewall itself MUST be able to be protected by the
same policies that protect the networks it is protecting.
My firewalls generally drop *everything* bound for themselves (i.e. you
CANNOT telnet, ftp, NFS, finger, ping, etc from EITHER side of the
firewall, the policy is that external packets may not cause the firewall to
execute programs, modify data, etc - only route packets). This policy
guarantees the invulnerability of the firewall - and generally the nets that
I firewall have similar rules.
You cannot have a firewall that firewalls routed packets but not packets to
itself. The chance exists for someone to cause something to happen on the
firewall (be it a telnet session, whatever), and once your firewall is
compromised, the firewall is useless. The firewall MUST be effectively
protected itself.
My 2.0.5R/2.1.0R firewalls start out with the assumption that the world is
not firewalled and I build firewalls from that point, restricting vast
ranges. It would probably be "easier" for the reverse to happen, at least
for me. Either way - I don't care because I know the desired end result.
> Further, there are no hints whatsoever in the current rc, sysconfig,
> netstart, et al to indicate that this (current condition) is the problem.
> Even if this (IMHO unusual) behaviour was documented it wouldn't be so much
> of a problem,
Sure, absolutely agree with that! :-)
... Joe
-------------------------------------------------------------------------------
Joe Greco - Systems Administrator jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI 414/546-7968
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602261443.IAA15422>