From owner-freebsd-security Fri Sep 24 10:50:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 0CAAC14F3E for ; Fri, 24 Sep 1999 10:50:24 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id LAA20647; Fri, 24 Sep 1999 11:49:57 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id LAA27881; Fri, 24 Sep 1999 11:49:56 -0600 Date: Fri, 24 Sep 1999 11:49:56 -0600 Message-Id: <199909241749.LAA27881@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Brett Glass Cc: nate@mt.sri.com (Nate Williams), Monte Westlund , freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall In-Reply-To: <4.2.0.58.19990924113626.0480db00@localhost> References: <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <199909241733.LAA27644@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >Why are you allowing connections from your WWW server to folks? WWW > >traffic isn't generated *from* your server, but to your server. > > Ah, but the same box is also doing NAT for internal machines. If > connections on port 80 weren't allowed OUT, then people on the > local "subnet 10" couldn't browse the Web. The person who posted > the original message of this thread seemed to want NAT to work > (please correct me if I'm wrong here). > > > > # Allow FTP data channels in for active FTP > > > $fwcmd add pass log tcp from any 20 to any 1024-65535 setup > > > >Active ftp is a nightmare waiting to happen. My boxes are now all setup > >to only do passive mode ftp, and aside from the hassle of installing > >software that defaults to passive mode, they haven't noticed anything. > > Some software can't be made to do passive mode. Then use different software. Seriously, active-mode ftp is an exploit waiting to happen. Anyone can connect *from* port 20 on any box and connect to any site internal to your domain. Does the word 'back-orifice' mean anything to you? People can at will connect from the ftp-data port un-detected and connect to any other services running on any TCP port > 1024. > I recently had to install this rule to get machines at a client site > working. Yes, it's a significant "hole" in the firewall, but one that > isn't easily exploited. See above. It's trivial to exploit, and allow a scanner to use port-20 to see *ANY* internal services in your network w/out detection. (Yes, I am paranoid, but it comes from experience in these sorts of things. :( ) > >Or, if you trust your internal users, you can simply use the rule > > > ># Internal users are trusted to only create valid connections. > > > >$fwcmd add pass tcp from $oip to any setup > > This sort of rule is common. The main drawback is that it can let a Trojan > Horse run rampant. Yep. However, I haven't (yet!) found a way to keep my users from whining everytime I set a more strict policy. :( Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message