From owner-freebsd-security Sat Feb 23 18:27:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from scorpio.drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4]) by hub.freebsd.org (Postfix) with ESMTP id 1598137B402 for ; Sat, 23 Feb 2002 18:27:37 -0800 (PST) Received: from scorpio (jeff.home.lan [192.168.134.2]) by scorpio.drkshdw.org (8.11.6/8.11.6) with SMTP id g1O2RXK05245 for ; Sat, 23 Feb 2002 21:27:34 -0500 (EST) (envelope-from scorpio@drkshdw.org) Message-ID: <003b01c1bcda$d4f06020$0286a8c0@home.lan> From: "Jeff Palmer" To: Subject: Couple of concerns with default rc.firewall Date: Sat, 23 Feb 2002 21:27:39 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0038_01C1BCB0.EB9BB240" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0038_01C1BCB0.EB9BB240 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all. I have a few concerns with the default /etc/rc.firewall. It's fairly common practice (and typically considered to be the most = secure practice) to build a default-to-deny firewall. Only traffic that = yous pecifically allow, can pass. Taking this into consideration, I checked 'man firewall' and find that = it too, agrees with the above. Having said that... is where we get into my problem. I compile my kernel with ipfw support. Without the default_to_allow. = and use a slightly modified "simple" configuration. This, by default = denies all incoming icmp. So, I again referred back to 'man firewall' and again, it agrees with = my thinking.. Certain ICMP types are beneficial, and should not be = denied (especially considering most users probably aren't "into" = security so they use a default firewall if any at all.) Is there any reason in particular, that ALL icmp traffic is denied by = default, except for using the 'open' ruleset? Or is this just a simple oversight, that needs to be examined? Thanks in advance for any feedback. Also, thanks for NOT flaming me if I've missed something obvious. ------=_NextPart_000_0038_01C1BCB0.EB9BB240 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi all.
 
I have a few concerns with the default=20 /etc/rc.firewall.
It's fairly common practice (and typically = considered to be=20 the most secure practice) to build a default-to-deny firewall.  = Only=20 traffic that yous pecifically allow, can pass.
 
Taking this into consideration,  I checked 'man = firewall'=20 and find that it too, agrees with the above.
 
Having said that... is where we get into my=20 problem.
I compile my kernel with ipfw support.  = Without the=20 default_to_allow. and use a slightly modified "simple" = configuration. =20 This,  by default denies all incoming icmp.
So, I again referred back to 'man=20 firewall' and again,  it agrees with my=20 thinking..  Certain ICMP types are beneficial, and should not be = denied=20 (especially considering most users probably aren't "into" security  = so they=20 use a default firewall if any at all.)
 
Is there any reason in particular,  that ALL = icmp traffic=20 is denied by default,   except for using the 'open'=20 ruleset?
Or is this just a simple oversight,  that needs = to be=20 examined?
 
Thanks in advance for any feedback.
Also,   thanks for NOT flaming me if I've = missed=20 something obvious.
 
------=_NextPart_000_0038_01C1BCB0.EB9BB240-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message