From owner-freebsd-stable Mon Feb 26 06:55:59 1996 Return-Path: owner-stable Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id GAA22606 for stable-outgoing; Mon, 26 Feb 1996 06:55:59 -0800 (PST) Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id GAA22588 Mon, 26 Feb 1996 06:55:55 -0800 (PST) Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id IAA15449; Mon, 26 Feb 1996 08:54:41 -0600 From: Joe Greco Message-Id: <199602261454.IAA15449@brasil.moneng.mei.com> Subject: Re: -stable hangs at boot (fwd) To: phk@critter.tfs.com (Poul-Henning Kamp) Date: Mon, 26 Feb 1996 08:54:40 -0600 (CST) Cc: imb@scgt.oz.au, stable@freebsd.org, current@freebsd.org In-Reply-To: <11519.825344528@critter.tfs.com> from "Poul-Henning Kamp" at Feb 26, 96 03:22:08 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-stable@freebsd.org Precedence: bulk > > Poul-Henning Kamp writes: > > > > > Well, this happens to be your view. I know machines where IPFW are being > > > used to restrict what users on the machine can do, this is only possible > > > if you filter >ALL< traffic, to and from the machine. > > > > OK .. but, personally, I wouldn't call or attempt to use those boxes as > > firewalls .. any "sensitive" firewall/filtering router I have control over > > has two valid accounts which have any access at all, mine and one other, > > with limited privilege, for daily monitoring. No users == much reduced risk. > > I agree, I'd do that too. However, that is all a question of what your > policy is. The IPFW, should not affect your policy, but merely be able to > implement it. Agree. Sometimes you use IPFW for "related but not really" policy things. The uses are quite varied. My firewalls all have a "root" account and require console access, my routers have a single wheel user. But beyond that, I use it in several "insecure" places: The PPP/term servers I build will drop packets that claim a source address that is not assigned to the term server. (think: prevent IP spoofing). They also drop routing packets and a few other things that "shouldn't or don't need to happen". My public access UNIX system, Solaria, is not allowed to access the Internet directly because it doesn't generate the revenue that's paying for the T1. I use IPFW's accounting abilities in numerous places. Etc. None of these are "secure" or absolutely required, even, but the functionality of IPFW makes life so much easier. > However, the reason why I'm in this business right now was that a (by now > documented) criminal person gained access through a FreeBSD firewall, even > though the filters claimed that it wasn't possible. This was not something > I could have sitting on my shoulders as a security supplier. :-( ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968