Date: Sat, 23 Feb 2002 21:27:39 -0500 From: "Jeff Palmer" <scorpio@drkshdw.org> To: <freebsd-security@FreeBSD.ORG> Subject: Couple of concerns with default rc.firewall Message-ID: <003b01c1bcda$d4f06020$0286a8c0@home.lan>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi all. I have a few concerns with the default /etc/rc.firewall. It's fairly common practice (and typically considered to be the most secure practice) to build a default-to-deny firewall. Only traffic that yous pecifically allow, can pass. Taking this into consideration, I checked 'man firewall' and find that it too, agrees with the above. Having said that... is where we get into my problem. I compile my kernel with ipfw support. Without the default_to_allow. and use a slightly modified "simple" configuration. This, by default denies all incoming icmp. So, I again referred back to 'man firewall' and again, it agrees with my thinking.. Certain ICMP types are beneficial, and should not be denied (especially considering most users probably aren't "into" security so they use a default firewall if any at all.) Is there any reason in particular, that ALL icmp traffic is denied by default, except for using the 'open' ruleset? Or is this just a simple oversight, that needs to be examined? Thanks in advance for any feedback. Also, thanks for NOT flaming me if I've missed something obvious. [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2713.1100" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT size=2>Hi all.</FONT></DIV> <DIV><FONT size=2></FONT> </DIV> <DIV><FONT size=2>I have a few concerns with the default /etc/rc.firewall.</FONT></DIV> <DIV><FONT size=2>It's fairly common practice (and typically considered to be the most secure practice) to build a default-to-deny firewall. Only traffic that yous pecifically allow, can pass.</FONT></DIV> <DIV><FONT size=2></FONT> </DIV> <DIV><FONT size=2>Taking this into consideration, I checked 'man firewall' and find that it too, agrees with the above.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=2>Having said that... is where we get into my problem.</FONT></DIV> <DIV><FONT size=2>I compile my kernel with ipfw support. Without the default_to_allow. and use a slightly modified "simple" configuration. This, by default denies all incoming icmp.</FONT></DIV> <DIV><FONT size=2>So, I again referred back to 'man firewall'</FONT> <FONT size=2>and again, it agrees with my thinking.. Certain ICMP types are beneficial, and should not be denied (especially considering most users probably aren't "into" security so they use a default firewall if any at all.)</FONT></DIV> <DIV><FONT size=2></FONT> </DIV> <DIV><FONT size=2>Is there any reason in particular, that ALL icmp traffic is denied by default, except for using the 'open' ruleset?</FONT></DIV> <DIV><FONT size=2>Or is this just a simple oversight, that needs to be examined?</FONT></DIV> <DIV><FONT size=2></FONT> </DIV> <DIV><FONT size=2>Thanks in advance for any feedback.</FONT></DIV> <DIV><FONT size=2>Also, thanks for NOT flaming me if I've missed something obvious.</FONT></DIV> <DIV> </DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003b01c1bcda$d4f06020$0286a8c0>