Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Sep 1999 11:49:56 -0600
From:      Nate Williams <nate@mt.sri.com>
To:        Brett Glass <brett@lariat.org>
Cc:        nate@mt.sri.com (Nate Williams), Monte Westlund <montejw@memes.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: default rc.firewall
Message-ID:  <199909241749.LAA27881@mt.sri.com>
In-Reply-To: <4.2.0.58.19990924113626.0480db00@localhost>
References:  <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <199909241733.LAA27644@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help
> >Why are you allowing connections from your WWW server to folks?  WWW
> >traffic isn't generated *from* your server, but to your server.
> 
> Ah, but the same box is also doing NAT for internal machines. If
> connections on port 80 weren't allowed OUT, then people on the
> local "subnet 10" couldn't browse the Web. The person who posted
> the original message of this thread seemed to want NAT to work
> (please correct me if I'm wrong here).
> 
> > >      # Allow FTP data channels in for active FTP
> > >      $fwcmd add pass log tcp from any 20 to any 1024-65535 setup
> >
> >Active ftp is a nightmare waiting to happen.  My boxes are now all setup
> >to only do passive mode ftp, and aside from the hassle of installing
> >software that defaults to passive mode, they haven't noticed anything.
> 
> Some software can't be made to do passive mode.

Then use different software.   Seriously, active-mode ftp is an exploit
waiting to happen.  Anyone can connect *from* port 20 on any box and
connect to any site internal to your domain.  Does the word
'back-orifice' mean anything to you?  People can at will connect from
the ftp-data port un-detected and connect to any other services running
on any TCP port > 1024.

> I recently had to install this rule to get machines at a client site
> working. Yes, it's a significant "hole" in the firewall, but one that
> isn't easily exploited.

See above.  It's trivial to exploit, and allow a scanner to use port-20
to see *ANY* internal services in your network w/out detection.

(Yes, I am paranoid, but it comes from experience in these sorts of
things. :( )

> >Or, if you trust your internal users, you can simply use the rule
> >
> ># Internal users are trusted to only create valid connections.
> >
> >$fwcmd add pass tcp from $oip to any setup
> 
> This sort of rule is common. The main drawback is that it can let a Trojan 
> Horse run rampant.

Yep.  However, I haven't (yet!) found a way to keep my users from
whining everytime I set a more strict policy. :(


Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909241749.LAA27881>