From owner-freebsd-security  Fri Jul 19 16:55: 8 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 78EE937B400
	for <security@FreeBSD.ORG>; Fri, 19 Jul 2002 16:55:02 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8DB4843E6D
	for <security@FreeBSD.ORG>; Fri, 19 Jul 2002 16:55:00 -0700 (PDT)
	(envelope-from marka@drugs.dv.isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g6JNsSJe016025;
	Sat, 20 Jul 2002 09:54:30 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200207192354.g6JNsSJe016025@drugs.dv.isc.org>
To: "=?iso-8859-1?Q?Arvinn_L=F8kkebakken?=" <arvinn@whitebird.no>
Cc: Mark_Andrews@isc.org, bart@dreamflow.nl, markd@cogeco.ca,
	security@FreeBSD.ORG
From: Mark.Andrews@isc.org
Subject: Re: ipfw and it's glory... 
In-reply-to: Your message of "Fri, 19 Jul 2002 22:42:25 +0200."
             <4210.217.118.33.65.1027111345.squirrel@everlast.whitebird.no> 
Date: Sat, 20 Jul 2002 09:54:28 +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> >> # Allow "local" traffic
> >> ipfw add allow all from any to any via lo0
> >>
> >> # Allow all outgoing trafic
> >> ipfw add allow all from any to any out
> >
> > 	This is a bad idea.  You should only allow out what you
> > 	will accept back in.   If you don't you will eventually be
> > 	guilty of pounding some poor server because you havn't
> > 	allowed the answers to come back.
> 
> I can't see why that's a bad idea.
> ipfw does allow tcp ACK back through the firewall doesn't it?

	Not by default.  The example this came from didn't allow
	the ACK's back in all cases.

> What do you mean only allow out what will accept in?

	Communication is a two way street.  For TCP and UDP
	you have <local-address,local-port> <remote-address,remote-port>.

	If you allow a packet out from <local-address,local-port> to
	<remote-address,remote-port> you should allow packets from 
	<remote-address,remote-port> to <local-address,local-port>
	back it.  Or to put it another way if you don't let
	<remote-address,remote-port> to <local-address,local-port> in
	then you don't let <local-address,local-port> to <remote-address,
	remote-port> out.

	If you have "ipfw add allow all from any to any out" then
	you should have "ipfw add allow all from any to any in".

	The firewall was not configured like that.  It restricted
	in bound traffic so it should similarly restrict out bound
	traffic.

	You should also allow back in any ICMP traffic that may be
	generated as a result of allowing those UDP and TCP packet
	out.  Similarly you should allow out any ICMP traffic
	generated as a result of letting TCP and UDP packets in.
	This is essential for correct operation of IP, UDP and TCP.

	Mark

> The source and destinations ports never have the same port numbers
> anyway.
> 
> Arvinn
> 

--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message