Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Jan 1999 12:30:14 -0800 (PST)
From:      "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU>
To:        "Jan B. Koum " <jkb@best.com>
Cc:        Patrick Barmentlo <pbm@gateway.barmentlo.net>, security@FreeBSD.ORG
Subject:   Re: examples rules ipfw
Message-ID:  <Pine.BSF.4.05.9901121227000.11885-100000@smarter.than.nu>
In-Reply-To: <19990112042358.C303@best.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 12 Jan 1999, Jan B. Koum  wrote:

> [redirect from -hackers to -security]
> 
> On Mon, Jan 11, 1999 at 02:56:44PM -0800, "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU> wrote:
> > On Mon, 11 Jan 1999, Patrick Barmentlo wrote:
> > 
> > > Can someone please point me out to some good examples for the rc.firewall
> > > file (ipfw )??
> > > (with most variant of opties/features...)
> > > 
> > > i have to set up some filtering, but still having some difficulties with
> > > it after checking freebsd.org....
> > 
> > 
> > add 00501 allow tcp from any to smarter 1024-65535
> > 
> >  This allows all traffic to ports 1024 through 65535 (to let FTP work
> > correctly)
> 
> 
> 	This is not good! There are way MANY evil things running on ports
> 	greater then 1024. Take X windows (6000), take nfsd (2049). Most of
> 	the insecure solaris rpc crap runs in that range. This list could
> 	go on forever.

Well, I have nfsd listening for UDP only, and that's firewalled off
earlier; I selectively unfirewall hosts for NFS as a specific need
arises.  I don't actually have anything running in the 1024+ port range
except X11, and you're right, I should firewall that, but otherwise this
doesn't introduce any security vulnerabilities into my particular system.

For a network firewall, though, that is dangerous, and I agree that
passive FTP is the way to go.

-- 
Brian Buchanan                                     brian@CSUA.Berkeley.EDU
--------------------------------------------------------------------------
FreeBSD - The Power to Serve!                       http://www.freebsd.org

daemon(n): 1. an attendant power or spirit : GENIUS
           2. the cute little mascot of the FreeBSD operating system


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9901121227000.11885-100000>