From owner-freebsd-security  Thu Jan 14 02:07:04 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA17030
          for freebsd-security-outgoing; Thu, 14 Jan 1999 02:07:04 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (whangaroa.igrin.co.nz [202.49.245.97])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA17019
          for <security@FreeBSD.ORG>; Thu, 14 Jan 1999 02:06:56 -0800 (PST)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.8/8.8.7) with ESMTP id XAA00679;
	Thu, 14 Jan 1999 23:01:56 +1300 (NZDT)
	(envelope-from andrew@squiz.co.nz)
Date: Thu, 14 Jan 1999 23:00:41 +1300 (NZDT)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: "Jan B. Koum " <jkb@best.com>
cc: "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU>,
        Patrick Barmentlo <pbm@gateway.barmentlo.net>, security@FreeBSD.ORG
Subject: Re: examples rules ipfw
In-Reply-To: <19990112042358.C303@best.com>
Message-ID: <Pine.BSF.4.05.9901142255490.329-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 12 Jan 1999, Jan B. Koum  wrote:

> > add 00501 allow tcp from any to smarter 1024-65535
> > 
> >  This allows all traffic to ports 1024 through 65535 (to let FTP work
> > correctly)
> 
> 
> 	This is not good! There are way MANY evil things running on ports
> 	greater then 1024. Take X windows (6000), take nfsd (2049). Most of
> 	the insecure solaris rpc crap runs in that range. This list could
> 	go on forever.

Depending on what you are shielding of course.  If you are only shielding
a single host, or a small number, it may be possible to comprehensively
list the ports you need to be careful of (eg netstat -a).
 
> 	You would be much better off using passive ftp (ftp -p) then opening
> 	up all those holes into your network. 

I connect to specific hosts which disallow passive ftp, so I don't use
this approach.  I'd be curious to know how common this is?

Andrew McNaughton




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message