Date: Fri, 29 Oct 1999 15:51:40 -0600 From: Nate Williams <nate@mt.sri.com> To: "Ronald F. Guilmette" <rfg@monkeys.com> Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: Some fixes for some non-features of the /etc/rc.firewall script Message-ID: <199910292151.PAA06826@mt.sri.com> In-Reply-To: <726.941233584@segfault.monkeys.com> References: <726.941233584@segfault.monkeys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> The second patch below allows outsiders to connect to your AUTH port (113). > I found that allowing this will cut down a lot on the number of pointless > "Deny" log messages you will get if you don't have this, because a *lot* > of things out in the real world (most notably Sendmail) _will_ try to > connect to your local auth port whenever you connect out to them. Or you can simply ignore them completely w/out logging them, since AUTH is a useless protocol, and you really shouldn't have a real AUTH daemon running on your box in any case. > The next patch allows ICMP packets and UDP packets to flow freely between > other machines on the local net and the current (firewall) machine and vise > versa. I don't see how allowing this could create a security threat, so > it seems to me that it ought to be allowed. I was definitely annoyed when, > after having first tried the "simple" firewall setup, I found that I could > no longer even ping the firewall machine from other machines on my own local > net. It depends on local policy whether or not the 'firewall' should be protected from internal users. In many installations (not mine, mind you) internal users are *also* suspect. > Last but not least, I added an EXPLICIT command: > > ipfw add deny log ip from any to any > > This is intended to take the place of the implicit default "fall through" > deny command that you will get anyway, with the only difference being that > _this one_ asks for denied packets to be logged (and the default rule doesn't > do that). I like this, but it's because I have something like it. However, I have 'ipfw add deny log all from any to any', since I don't want just to log ip stuff. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910292151.PAA06826>