Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Feb 2001 11:43:08 +0000
From:      Adam Laurie <adam@algroup.co.uk>
To:        Nick Sayer <nsayer@quack.kfu.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: /etc/rc.firewall fixes
Message-ID:  <3A93A9CC.BC1D39FB@algroup.co.uk>
References:  <200102202005.f1KK5kv83619@medusa.kfu.com>
index | next in thread | previous in thread | raw e-mail 

Nick Sayer wrote:
> 
> I would like to suggest a new "simple" firewall configuration.
> 
> I recently put a security fix in the prototype /etc/rc.firewall
> stuff to close up a rather glaring security hole.
> 
> The old stuff did
> 
> pass udp from any 53 to ${oip}
> 
> which allows someone to communicate, for instance, with port 2049 so
> long as they bind their end to 53. The state keeping stuff is the
> correct solution.
> 
> My proposed "simple" firewall config goes something like this:
> 
> check-state
> pass udp from ${mynet} to any keep-state
> pass all from ${mynet} to any
> pass tcp from any to any established
> pass icmp from any to any
> 
> This simple set of rules represents a simple one-way set up. UDP is
> allowed to go out, and matching replies are allowed to come back in.
> TCP sessions are allowed to go out only.
> 
> By itself it is not a complete ruleset, but I think it is a better one
> than any of the examples we presently have. I haven't committed this
> because I wanted to start some discussion first and commit the resulting
> consensus.

while you're at it, all the variable definitions need to be moved out of
rc.firewall itself and into rc.conf. i would also like to see a "mobile"
section for ppp/dialup and will contribute mine if required... good luck
with getting a commit! :)

cheers,
Adam
--
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
Voysey House                  http://www.thebunker.net
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A93A9CC.BC1D39FB>