From owner-freebsd-security Sun Feb 24 14:51: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from Mail.Math.Princeton.EDU (mail.math.Princeton.EDU [128.112.18.14]) by hub.freebsd.org (Postfix) with ESMTP id 9E2F237B405 for ; Sun, 24 Feb 2002 14:51:01 -0800 (PST) Received: from math.Princeton.EDU (IDENT:root@math.Princeton.EDU [128.112.18.16]) by Mail.Math.Princeton.EDU (8.11.6/8.11.6) with ESMTP id g1OMp0428812 for ; Sun, 24 Feb 2002 17:51:00 -0500 Received: from math.Princeton.EDU (stalker@localhost) by math.Princeton.EDU (8.11.6/8.11.6) with ESMTP id g1OMp0d06553 for ; Sun, 24 Feb 2002 17:51:00 -0500 Message-Id: <200202242251.g1OMp0d06553@math.Princeton.EDU> To: freebsd-security@FreeBSD.org Subject: Re: Couple of concerns with default rc.firewall In-reply-to: References: <20020224104008.H14963-100000@mohegan.mohawk.net> <001901c1bd4e$3f03d8c0$0286a8c0@home.lan> Comments: In-reply-to Dag-Erling Smorgrav message dated "24 Feb 2002 17:46:27 +0100." Date: Sun, 24 Feb 2002 17:51:00 -0500 From: John Stalker Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would say that Jeff expressed himself quite clearly. At least I had no trouble understanding him. The question is not why the default firewall rules as written block absolutely everything. Anyone can read them and verify that that is their effect. The question is whether this is a sensible choice of default. I don't really like this choice. I don't think it helps matters much to say that users can always switch to default to allow. That isn't a very good default either. A good choice of default would be one which blocks ALMOST everything. The truly paranoid can always remove a few lines and make it deny absolutely everything, but if you are that paranoid you should probably be running OpenBSD. The problem with making a default which is so secure as to be unusable is that it tempts people to punch giant holes in it to make their systems usable again. I would bet that most people who try default to deny either remove their firewalls entirely or switch to default to accept rather than learn how to identify which packets they need and modify the rules to allow only those. > "Jeff Palmer" writes: > > I'm not sure if you two are bored, or what the problem is. > > Maybe the problem is your attitude, and your inability and / or > unwillingness to express yourself clearly. > > If the question is "why don't any of the default policies in > /etc/rc.firewall include a rule to let icmp packets through?", the > answer is (probably) "because nobody cared enough add one". > > DES > -- > Dag-Erling Smorgrav - des@ofug.org -- John Stalker Department of Mathematics Princeton University (609)258-6469 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message