From owner-freebsd-security Wed Feb 21 5:30:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id DFD2B37B491 for ; Wed, 21 Feb 2001 05:30:38 -0800 (PST) (envelope-from mikel@ocsinternet.com) Received: from ocsinternet.com (localhost.upan.org [127.0.0.1]) by ra.upan.org (8.11.1/8.11.1) with ESMTP id f1LDUaT25513; Wed, 21 Feb 2001 08:30:36 -0500 (EST) (envelope-from mikel@ocsinternet.com) Message-ID: <3A93C2FB.3E160997@ocsinternet.com> Date: Wed, 21 Feb 2001 08:30:35 -0500 From: Mikel King Organization: OCS Internet X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Adam Laurie Cc: Nick Sayer , freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes I would tend to agree that it would be rather handy to have the config outside of the rc.firewall, and rc.conf is a likely candidate. Presently do this manually because I use have several scripts that use these common vars like 'oif' and for maintenance purposes it's easier to have a central point for their assignment. cheers, mikel Adam Laurie wrote: > Nick Sayer wrote: > > > > I would like to suggest a new "simple" firewall configuration. > > > > I recently put a security fix in the prototype /etc/rc.firewall > > stuff to close up a rather glaring security hole. > > > > The old stuff did > > > > pass udp from any 53 to ${oip} > > > > which allows someone to communicate, for instance, with port 2049 so > > long as they bind their end to 53. The state keeping stuff is the > > correct solution. > > > > My proposed "simple" firewall config goes something like this: > > > > check-state > > pass udp from ${mynet} to any keep-state > > pass all from ${mynet} to any > > pass tcp from any to any established > > pass icmp from any to any > > > > This simple set of rules represents a simple one-way set up. UDP is > > allowed to go out, and matching replies are allowed to come back in. > > TCP sessions are allowed to go out only. > > > > By itself it is not a complete ruleset, but I think it is a better one > > than any of the examples we presently have. I haven't committed this > > because I wanted to start some discussion first and commit the resulting > > consensus. > > while you're at it, all the variable definitions need to be moved out of > rc.firewall itself and into rc.conf. i would also like to see a "mobile" > section for ppp/dialup and will contribute mine if required... good luck > with getting a commit! :) > > cheers, > Adam > -- > Adam Laurie Tel: +44 (20) 8742 0755 > A.L. Digital Ltd. Fax: +44 (20) 8742 5995 > Voysey House http://www.thebunker.net > Barley Mow Passage http://www.aldigital.co.uk > London W4 4GB mailto:adam@algroup.co.uk > UNITED KINGDOM PGP key on keyservers > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message