From owner-freebsd-security  Sat Jul 20  1:51:38 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E7CC437B400
	for <security@FreeBSD.ORG>; Sat, 20 Jul 2002 01:51:34 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5479243E42
	for <security@FreeBSD.ORG>; Sat, 20 Jul 2002 01:51:33 -0700 (PDT)
	(envelope-from marka@drugs.dv.isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g6K8pCJe016634;
	Sat, 20 Jul 2002 18:51:12 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200207200851.g6K8pCJe016634@drugs.dv.isc.org>
To: peter.lai@uconn.edu
Cc: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= <arvinn@whitebird.no>,
	bart@dreamflow.nl, markd@cogeco.ca, security@FreeBSD.ORG
From: Mark.Andrews@isc.org
Subject: Re: ipfw and it's glory... 
In-reply-to: Your message of "Sat, 20 Jul 2002 00:16:30 -0400."
             <20020720001630.A56591@cowbert.2y.net> 
Date: Sat, 20 Jul 2002 18:51:12 +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> On Sat, Jul 20, 2002 at 09:54:28AM +1000, Mark.Andrews@isc.org wrote:
> > 
> > > >> # Allow "local" traffic
> > > >> ipfw add allow all from any to any via lo0
> > > >>
> > > >> # Allow all outgoing trafic
> > > >> ipfw add allow all from any to any out
> > > >
> > > > 	This is a bad idea.  You should only allow out what you
> > > > 	will accept back in.   If you don't you will eventually be
> > > > 	guilty of pounding some poor server because you havn't
> > > > 	allowed the answers to come back.
> > > 
> > > I can't see why that's a bad idea.
> > > ipfw does allow tcp ACK back through the firewall doesn't it?
> > 
> > 	Not by default.  The example this came from didn't allow
> > 	the ACK's back in all cases.
> > 
> > > What do you mean only allow out what will accept in?
> > 
> > 	Communication is a two way street.  For TCP and UDP
> > 	you have <local-address,local-port> <remote-address,remote-port>.
> > 
> > 	If you allow a packet out from <local-address,local-port> to
> > 	<remote-address,remote-port> you should allow packets from 
> > 	<remote-address,remote-port> to <local-address,local-port>
> > 	back it.  Or to put it another way if you don't let
> > 	<remote-address,remote-port> to <local-address,local-port> in
> > 	then you don't let <local-address,local-port> to <remote-address,
> > 	remote-port> out.
> > 
> > 	If you have "ipfw add allow all from any to any out" then
> > 	you should have "ipfw add allow all from any to any in".
> > 
> 
> Or use a rule like 'allow all from any to any out [setup|keep-state]
> to keep the channel open. (with setup, you'll need an 'allow from
> any to any in established' rule and with keep-state you'll need
> to check-state).

	Sure there are plenty of ways to solve the problem, keep-state
	amongst them.  The point still is that you should not allow
	out what you will not allow back in.
	
	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message