From owner-freebsd-security Fri Sep 24 11:21:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (Postfix) with SMTP id D42A3155DE for ; Fri, 24 Sep 1999 11:21:32 -0700 (PDT) (envelope-from freebsd@deepwell.com) Received: (qmail 22443 invoked from network); 24 Sep 1999 19:07:26 -0000 Received: from proxy.dcomm.net (HELO terry) (209.63.175.10) by deepwell.com with SMTP; 24 Sep 1999 19:07:26 -0000 Message-Id: <4.2.0.58.19990924110859.018517c0@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 24 Sep 1999 11:20:20 -0700 To: Brett Glass , freebsd-security@freebsd.org From: Deepwell Internet Subject: Re: default rc.firewall In-Reply-To: <4.2.0.58.19990924115715.0480e340@localhost> References: <199909241749.LAA27881@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost> <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <199909241733.LAA27644@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >At 11:49 AM 9/24/99 -0600, Nate Williams wrote: > > >Then use different software. Seriously, active-mode ftp is an exploit > >waiting to happen. Anyone can connect *from* port 20 on any box and > >connect to any site internal to your domain. Does the word > >'back-orifice' mean anything to you? > >Actually, that's TWO words. ;-) Seriously, I'm well aware of the issues >involved. There's no reason, however, to think that blocking incoming >connections from one particular port makes you safer from Trojans. A Trojan >can connect OUTWARD, too, and often does. > >And remember the eEye IIS exploit? It let you come into the hacked Web server >*on port 80*. So, any Web server that was accessible from the outside world >could be hacked from the outside world. And used to compromise the rest of >the >network, too. > >--Brett > I agree that you're not going to be able to completely protect your machines by instituting these policies but if you weigh the options, they're probably worth it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message