Date: Sat, 31 Jul 2004 20:07:37 -0400 From: "JJB" <Barbish3@adelphia.net> To: "Giorgos Keramidas" <keramida@ceid.upatras.gr> Cc: freebsd-questions@freebsd.org Subject: RE: Firewall Rule Set not allowing access to DNS servers? Message-ID: <MIEPLLIBMLEEABPDBIEGKEDGGIAA.Barbish3@adelphia.net> In-Reply-To: <20040731224313.GA1048@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
Giorgos Thank you for your opinion about my rewrite of the handbook firewall section. It has been turned over to the FreeBSD doc group and they are sanitizing the English and getting it prepared for update to the handbook. To address your opinion that the rule set may be to limiting for a home user is covered by the following section from the document. ******************************************************************** * Firewall Rule Set Types Constructing a software application firewall rule set may seem to be trivial, but most people get it wrong. The most common mistake is to create an exclusive firewall rather than an inclusive firewall. An exclusive firewall allows all services through except for those matching a set of rules that block certain services. An inclusive firewall does the reverse. It only allows services matching the rules through and blocks everything else. This way you can control what services can originate behind the firewall destined for the public internet and also control which services originating from the public internet may access your network. Inclusive firewalls are far more secure than exclusive firewalls. ******************************************************************** * Now many home LAN environments have ms/windows boxes and that system is the target of all the adware and spyware programs. These unauthorized programs all most always use non-standard ports to phone home and report on your activity. The only way to defend against the 'report home action' is to block all outbound ports except for those explicitly allowed by firewall rules. Sure the ipfw firewall rule set you posted will work, but it's so less secure then the ones contained in the document I wrote. Why have a poorly defined firewall rule set that leaves a wide open doorway to the public internet when just a few more rules will result in the maximum protection possible. My document is written to give the reader the maximum protection possible by just using the included samples. This removes the trial and error testing the user have to go through now using the current handbook as a guide. New subject. I see from your post, what looks like you have an automated way to reformat MS/outlook top post to Unix Bottom post format. I sure would like to know how you are doing this. I have been on this list for 4 years and I have never seen this before. Would you please share with me and the other readers how you do this. Thanks Joe -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Giorgos Keramidas Sent: Saturday, July 31, 2004 6:43 PM To: JJB Cc: freebsd-questions@freebsd.org Subject: Re: Firewall Rule Set not allowing access to DNS servers? [-- Message reformatted to fix Outlook format --] On 2004-07-31 14:17, JJB <Barbish3@adelphia.net> wrote: >Giorgos Keramidas wrote on July 31, 2004 1:36 PM >>On 2004-07-31 12:08, "James A. Coulter" <james.coulter@cox.net wrote: >>> My LAN is configured with static IP addresses, 192.168.1.x. >>> >>> I have no problems communicating within the LAN. >>> >>> I have full connectivity with the internet from every machine on >>> my LAN when the firewall is open. >>> >>> When I use the rule set in question, I can ping and send mail but >>> I cannot access the DNS servers listed in resolv.conf. >> >> There are many ways in which your ruleset might break. Two of the >> most important comments I wanted to make when I first saw the posts >> of this thread are: [...] >> >> b) Why do you use so many rules that 'filter' outgoing traffic? >> >> I saw smtp, pop3, time, http, https and many others. You >> don't need to explicitly allow outgoing connections unless >> the users in the internal LAN are not to be trusted at all >> and even then IPFW is most of the time not the right way to >> do it. > > If you had read the start of the thread you would have read the new > handbook firewall section rewrite which explains in detail why the re > are rules to control access to the public internet from LAN users. I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. If by "... which explains in detail why..." you refer to this particular quote from that document, I'm not sure that it is always a good idea but that's my own opinion: "The Outbound section in the following rule set only contains `pass' rules which contain selection values that uniquely identify the service that is authorized for public internet access." In a corporate environment, where access to the Internet has to be limited and/or controlled in a more or less strict manner, it looks like a great idea. At home, where a couple of machines share a single Internet connection through a dialup or DSL line, this might be a bit too limiting ;-) - Giorgos _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEDGGIAA.Barbish3>