Date: Sat, 14 Sep 2002 20:25:01 +0300 From: Peter Pentchev <roam@ringlet.net> To: Alan E <alane@geeksrus.net> Cc: Edwin Groothuis <edwin@mavetju.org>, freebsd-ports@FreeBSD.ORG Subject: Re: bash2 Message-ID: <20020914172501.GB379@straylight.oblivion.bg> In-Reply-To: <20020914135955.GA50972@wwweasel.geeksrus.net> References: <20020912043831.GB69776@k7.mavetju> <200209132223.g8DMNt1a027966@dt.home> <20020914015417.GA1692@gforce.johnson.home> <20020914100207.GA87001@wwweasel.geeksrus.net> <20020914134752.GD69776@k7.mavetju> <20020914135955.GA50972@wwweasel.geeksrus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--wzJLGUyc3ArbnUjN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 14, 2002 at 09:59:55AM -0400, Alan E wrote: > On Sat, Sep 14, 2002 at 11:47:52PM +1000, Edwin Groothuis wrote: > >On Sat, Sep 14, 2002 at 06:02:07AM -0400, Alan E wrote: > >> On Fri, Sep 13, 2002 at 08:54:17PM -0500, Glenn Johnson wrote: > >> >On Sat, Sep 14, 2002 at 08:23:55AM +1000, Tony Maher wrote: > >> >> > > Is anyone able to build bash2? I have not been able to retrieve > >> >> > > the bash205b-003 patch file for several days. > >> >> > >> >> I also could not connect but have traced this to the fact that > >> >> ftp.cwru.edu tries to used ident. > >> >>=20 > >> >> Adding 'reset log logamount 100 tcp from any to any 113 in recv rl0' > >> >> to my firewall rules and I can now get the patches. > >> > > >>=20 > >> I think it's an unfair imposition to require a security configurtion > >> change in my firewall to build a port. Could these patches be also > >> hosted on a freebsd.org machine? > > > >If _your_ host doesn't follow the normal rules of the IP network > >(i.e. if you send a packet to a port which doesn't have a service > >bound to it, you send a TCP reset packet) and something goes wrong > >because of it, it is _you_ who has a problem, not the other side. >=20 > It's this FBSD 4.7-PRE box, and the ident port is not allowed thruogh > the ipfw firewall. That's all. I guess FreeBSD has a problem, huh? This is an issue that comes up often on security-related lists. Many people think that unless your server is already under attack or under a very high normal traffic load, the normal way to 'not allow' an incoming TCP SYN packet is to send back a RST, not just to drop it on the floor. This - a 'reset' rule as opposed to a 'deny' rule - lets the peer know that, yes, you are aware that somebody might attempt connections to this service, and no, you do not allow them to. Dropping the SYN packet and letting the incoming connection time out is generally not considered friendly neighborhood netizen behavior :) Of course, if you are under attack, or you have a serious premonition that you may come to be under attack soon, or if the usual traffic over your wire stretches the bandwidth almost to its limits, then dropping incoming connection packets may be a very sensible policy. However, it is my personal opinion that for the general case, a 'reset' rule is much more useful to both you and the Internet as a whole :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Do you think anybody has ever had *precisely this thought* before? --wzJLGUyc3ArbnUjN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9g3Dt7Ri2jRYZRVMRAtIbAJ90N1mcQgqU3vc81qprPzl9etr/UQCeLYvR cKqQ6eRLK3sNhZEb6bReioE= =KxtT -----END PGP SIGNATURE----- --wzJLGUyc3ArbnUjN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020914172501.GB379>