From owner-freebsd-security Thu Mar 14 23: 6: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 24B9837B400 for ; Thu, 14 Mar 2002 23:06:01 -0800 (PST) Received: (qmail 3762 invoked by uid 1000); 15 Mar 2002 07:06:11 -0000 Date: Fri, 15 Mar 2002 09:06:11 +0200 From: Peter Pentchev To: "N. J. Cash" Cc: FreeBSD Security Subject: Re: telnet / ipfw question Message-ID: <20020315090611.A337@straylight.oblivion.bg> Mail-Followup-To: "N. J. Cash" , FreeBSD Security References: <003501c1cb81$2e12faa0$e8cede18@xeno> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003501c1cb81$2e12faa0$e8cede18@xeno>; from ncash@pei.eastlink.ca on Thu, Mar 14, 2002 at 01:53:42PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --+HP7ph2BbKc20aGI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 14, 2002 at 01:53:42PM -0400, N. J. Cash wrote: > I have telnet enabled on my system running 4.5-stable and have it hidden > behind very strick ipfw rules so that the only IP that has access to the = box > on port 23 is my home static IP, everything else is denied by the firewal= l. > I'm well aware of the risks of having telnet open and how insecure it can= be > so, i'm just looking for some input here if this sounds like a safe way to > have the daemon running on a system. Would there still be security risks > involved > that i'm not aware about running it this way? >=20 > Here's basically what's going on in ipfw for port 23. >=20 > ipfw add 1400 allow log tcp from x.x.myip.x.x to any 23 > ipfw add 09000 deny log ip from any to any >=20 >=20 > Look safe ? I do not know about safe, but you either have not tested this, or are not showing us your complete ruleset. This, by itself, would allow packets from your IP address to any host's telnet port, but it will NOT allow the responses; thus, you will not even be able to establish a connection, let alone actually use telnet :) If this host is the server that you want to use, a better (actually working) firewall ruleset would contain something like.. ipfw add 1000 allow tcp from me to any setup ipfw add 1400 allow tcp from x.x.myip.x.x to me 23 setup ipfw add 9000 deny tcp from any to me 23 setup And.. others have already commented on the dangers of using telnet, I will not restate their arguments, just say that I agree in them that you should not really use telnet except in *very* exceptional circumstances (a really local-area network, and even then maybe only for access to routers, access servers, switches and such, that do not yet support SSH; and even some of those do now). G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence no verb. --+HP7ph2BbKc20aGI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjyRnWMACgkQ7Ri2jRYZRVPgmwCgstS6IU+12514PnEB5QxrzXjq fv4AoKC3ihRcKYno4HPpSOafetx6eXW4 =J9/t -----END PGP SIGNATURE----- --+HP7ph2BbKc20aGI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message