From owner-freebsd-security Sat Dec 4 7:58:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id B197B14F6C; Sat, 4 Dec 1999 07:58:24 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id IAA11471; Sat, 4 Dec 1999 08:57:13 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id IAA16413; Sat, 4 Dec 1999 08:57:12 -0700 Date: Sat, 4 Dec 1999 08:57:12 -0700 Message-Id: <199912041557.IAA16413@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Adam Laurie Cc: Nate Williams , "Rodney W. Grimes" , John Baldwin , freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited In-Reply-To: <384910D5.43271787@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk> <3847C0CB.2E9774A@algroup.co.uk> <199912031601.JAA10973@mt.sri.com> <3847F55E.B546B2EB@algroup.co.uk> <199912031658.JAA11193@mt.sri.com> <3847F939.47978597@algroup.co.uk> <199912031729.KAA11375@mt.sri.com> <384812A7.EAAB3BD8@algroup.co.uk> <199912032006.NAA12109@mt.sri.com> <384910D5.43271787@algroup.co.uk> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > The problem is that there is no generic solution. > > As I pointed out earlier on, this is a generic solution - it just needs > a few different versions of the rules to cope with each scenario. I will > say it one last time, then give up: your ruleset allows UDP services to > be attacked from a "trusted" host, or something that is able to spoof > it. Mine does not. Except in many cases, the 'trusted' host *IS* the firewall itself, or a machine that you *can* trust if it's inside the firewall. This is acceptable in many cases, and for what it's worth, in my ruleset it still doesn't allow UDP services to be attacked. You didn't read *my* list of rules very carefully. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message