Date: Sat, 04 Dec 1999 19:46:08 +0000 From: Adam Laurie <adam@algroup.co.uk> To: Nate Williams <nate@mt.sri.com> Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <38496F80.EEC8AD51@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk> <3847C0CB.2E9774A@algroup.co.uk> <199912031601.JAA10973@mt.sri.com> <3847F55E.B546B2EB@algroup.co.uk> <199912031658.JAA11193@mt.sri.com> <3847F939.47978597@algroup.co.uk> <199912031729.KAA11375@mt.sri.com> <384812A7.EAAB3BD8@algroup.co.uk> <199912032006.NAA12109@mt.sri.com> <384910D5.43271787@algroup.co.uk> <199912041557.IAA16413@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nate Williams wrote: > > > > The problem is that there is no generic solution. > > > > As I pointed out earlier on, this is a generic solution - it just needs > > a few different versions of the rules to cope with each scenario. I will > > say it one last time, then give up: your ruleset allows UDP services to > > be attacked from a "trusted" host, or something that is able to spoof > > it. Mine does not. > > Except in many cases, the 'trusted' host *IS* the firewall itself, or a > machine that you *can* trust if it's inside the firewall. Yes, but at some point in your chain you have to talk to the outside world. It is at that point that you are vulnerable as you are trusting an external machine. > > This is acceptable in many cases, and for what it's worth, in my ruleset > it still doesn't allow UDP services to be attacked. You didn't read > *my* list of rules very carefully. Since you didn't post any rules, only statements about what they do, I can't comment. Rod also claimed his ruleset was "safe", and you backed him up, but it isn't. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38496F80.EEC8AD51>