From owner-freebsd-security Fri Jul 19 21:16:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A27B337B400 for ; Fri, 19 Jul 2002 21:16:32 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id CC28E43E3B for ; Fri, 19 Jul 2002 21:16:31 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 56599 invoked by uid 1001); 20 Jul 2002 04:16:30 -0000 Date: Sat, 20 Jul 2002 00:16:30 -0400 From: "Peter C. Lai" To: Mark.Andrews@isc.org Cc: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= , Mark_Andrews@isc.org, bart@dreamflow.nl, markd@cogeco.ca, security@FreeBSD.ORG Subject: Re: ipfw and it's glory... Message-ID: <20020720001630.A56591@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <4210.217.118.33.65.1027111345.squirrel@everlast.whitebird.no> <200207192354.g6JNsSJe016025@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200207192354.g6JNsSJe016025@drugs.dv.isc.org>; from Mark.Andrews@isc.org on Sat, Jul 20, 2002 at 09:54:28AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 20, 2002 at 09:54:28AM +1000, Mark.Andrews@isc.org wrote: > > > >> # Allow "local" traffic > > >> ipfw add allow all from any to any via lo0 > > >> > > >> # Allow all outgoing trafic > > >> ipfw add allow all from any to any out > > > > > > This is a bad idea. You should only allow out what you > > > will accept back in. If you don't you will eventually be > > > guilty of pounding some poor server because you havn't > > > allowed the answers to come back. > > > > I can't see why that's a bad idea. > > ipfw does allow tcp ACK back through the firewall doesn't it? > > Not by default. The example this came from didn't allow > the ACK's back in all cases. > > > What do you mean only allow out what will accept in? > > Communication is a two way street. For TCP and UDP > you have . > > If you allow a packet out from to > you should allow packets from > to > back it. Or to put it another way if you don't let > to in > then you don't let to remote-port> out. > > If you have "ipfw add allow all from any to any out" then > you should have "ipfw add allow all from any to any in". > Or use a rule like 'allow all from any to any out [setup|keep-state] to keep the channel open. (with setup, you'll need an 'allow from any to any in established' rule and with keep-state you'll need to check-state). > The firewall was not configured like that. It restricted > in bound traffic so it should similarly restrict out bound > traffic. > > You should also allow back in any ICMP traffic that may be > generated as a result of allowing those UDP and TCP packet > out. Similarly you should allow out any ICMP traffic > generated as a result of letting TCP and UDP packets in. > This is essential for correct operation of IP, UDP and TCP. > > Mark > > > The source and destinations ports never have the same port numbers > > anyway. > > > > Arvinn > > > > -- > Mark Andrews, Internet Software Consortium > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message