Date: Sat, 23 Feb 2002 21:27:39 -0500 From: "Jeff Palmer" <scorpio@drkshdw.org> To: <freebsd-security@FreeBSD.ORG> Subject: Couple of concerns with default rc.firewall Message-ID: <003b01c1bcda$d4f06020$0286a8c0@home.lan>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0038_01C1BCB0.EB9BB240 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all. I have a few concerns with the default /etc/rc.firewall. It's fairly common practice (and typically considered to be the most = secure practice) to build a default-to-deny firewall. Only traffic that = yous pecifically allow, can pass. Taking this into consideration, I checked 'man firewall' and find that = it too, agrees with the above. Having said that... is where we get into my problem. I compile my kernel with ipfw support. Without the default_to_allow. = and use a slightly modified "simple" configuration. This, by default = denies all incoming icmp. So, I again referred back to 'man firewall' and again, it agrees with = my thinking.. Certain ICMP types are beneficial, and should not be = denied (especially considering most users probably aren't "into" = security so they use a default firewall if any at all.) Is there any reason in particular, that ALL icmp traffic is denied by = default, except for using the 'open' ruleset? Or is this just a simple oversight, that needs to be examined? Thanks in advance for any feedback. Also, thanks for NOT flaming me if I've missed something obvious. ------=_NextPart_000_0038_01C1BCB0.EB9BB240 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2713.1100" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT size=3D2>Hi all.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>I have a few concerns with the default=20 /etc/rc.firewall.</FONT></DIV> <DIV><FONT size=3D2>It's fairly common practice (and typically = considered to be=20 the most secure practice) to build a default-to-deny firewall. = Only=20 traffic that yous pecifically allow, can pass.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Taking this into consideration, I checked 'man = firewall'=20 and find that it too, agrees with the above.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D2>Having said that... is where we get into my=20 problem.</FONT></DIV> <DIV><FONT size=3D2>I compile my kernel with ipfw support. = Without the=20 default_to_allow. and use a slightly modified "simple" = configuration. =20 This, by default denies all incoming icmp.</FONT></DIV> <DIV><FONT size=3D2>So, I again referred back to 'man=20 firewall'</FONT> <FONT size=3D2>and again, it agrees with my=20 thinking.. Certain ICMP types are beneficial, and should not be = denied=20 (especially considering most users probably aren't "into" security = so they=20 use a default firewall if any at all.)</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Is there any reason in particular, that ALL = icmp traffic=20 is denied by default, except for using the 'open'=20 ruleset?</FONT></DIV> <DIV><FONT size=3D2>Or is this just a simple oversight, that needs = to be=20 examined?</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Thanks in advance for any feedback.</FONT></DIV> <DIV><FONT size=3D2>Also, thanks for NOT flaming me if I've = missed=20 something obvious.</FONT></DIV> <DIV> </DIV></BODY></HTML> ------=_NextPart_000_0038_01C1BCB0.EB9BB240-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003b01c1bcda$d4f06020$0286a8c0>