From owner-freebsd-bugs Fri Oct 29 15: 0:34 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from monkeys.com (i180.value.net [206.14.136.180]) by hub.freebsd.org (Postfix) with ESMTP id A1FD115019 for ; Fri, 29 Oct 1999 15:00:29 -0700 (PDT) (envelope-from rfg@monkeys.com) Received: from segfault.monkeys.com (localhost [127.0.0.1]) by monkeys.com (8.9.3/8.9.3) with ESMTP id PAA00781; Fri, 29 Oct 1999 15:00:18 -0700 (PDT) To: nate@mt.sri.com (Nate Williams) Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: Some fixes for some non-features of the /etc/rc.firewall script In-reply-to: Your message of Fri, 29 Oct 1999 15:51:40 -0600. <199910292151.PAA06826@mt.sri.com> From: "Ronald F. Guilmette" Date: Fri, 29 Oct 1999 15:00:18 -0700 Message-ID: <779.941234418@segfault.monkeys.com> Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199910292151.PAA06826@mt.sri.com>, you wrote: >> The second patch below allows outsiders to connect to your AUTH port (113). >> I found that allowing this will cut down a lot on the number of pointless >> "Deny" log messages you will get if you don't have this, because a *lot* >> of things out in the real world (most notably Sendmail) _will_ try to >> connect to your local auth port whenever you connect out to them. > >Or you can simply ignore them completely w/out logging them, since AUTH >is a useless protocol, and you really shouldn't have a real AUTH daemon >running on your box in any case. I can't imagine how having one hurts anything. On a firewall, the only string it will ever return to the outside world... even if it *is* running... will be "root". >> The next patch allows ICMP packets and UDP packets to flow freely between >> other machines on the local net and the current (firewall) machine and vise >> versa. I don't see how allowing this could create a security threat, so >> it seems to me that it ought to be allowed. I was definitely annoyed when, >> after having first tried the "simple" firewall setup, I found that I could >> no longer even ping the firewall machine from other machines on my own local >> net. > >It depends on local policy whether or not the 'firewall' should be >protected from internal users. In many installations (not mine, mind >you) internal users are *also* suspect. Internal users are not "untrusted" here either. (I am the only user, in fact, and I trust me... mostly. :-) I imagine that this is the rule, rather than the exception, and that the exceptional case is sites where even the local users are not trusted. (Maybe rc.firewall really needs to have a "simple" configuration and then also an "industrial strength" configuration.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message