Date: Sun, 24 Feb 2002 17:51:00 -0500 From: John Stalker <stalker@Math.Princeton.EDU> To: freebsd-security@FreeBSD.org Subject: Re: Couple of concerns with default rc.firewall Message-ID: <200202242251.g1OMp0d06553@math.Princeton.EDU> In-Reply-To: <xzpd6yuvndo.fsf@flood.ping.uio.no> References: <20020224104008.H14963-100000@mohegan.mohawk.net> <001901c1bd4e$3f03d8c0$0286a8c0@home.lan> <xzpd6yuvndo.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
I would say that Jeff expressed himself quite clearly. At least I had no trouble understanding him. The question is not why the default firewall rules as written block absolutely everything. Anyone can read them and verify that that is their effect. The question is whether this is a sensible choice of default. I don't really like this choice. I don't think it helps matters much to say that users can always switch to default to allow. That isn't a very good default either. A good choice of default would be one which blocks ALMOST everything. The truly paranoid can always remove a few lines and make it deny absolutely everything, but if you are that paranoid you should probably be running OpenBSD. The problem with making a default which is so secure as to be unusable is that it tempts people to punch giant holes in it to make their systems usable again. I would bet that most people who try default to deny either remove their firewalls entirely or switch to default to accept rather than learn how to identify which packets they need and modify the rules to allow only those. > "Jeff Palmer" <scorpio@drkshdw.org> writes: > > I'm not sure if you two are bored, or what the problem is. > > Maybe the problem is your attitude, and your inability and / or > unwillingness to express yourself clearly. > > If the question is "why don't any of the default policies in > /etc/rc.firewall include a rule to let icmp packets through?", the > answer is (probably) "because nobody cared enough add one". > > DES > -- > Dag-Erling Smorgrav - des@ofug.org -- John Stalker Department of Mathematics Princeton University (609)258-6469 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202242251.g1OMp0d06553>