Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Nov 1997 16:11:18 -0500 (EST)
From:      toonces@homenet.ml.org
To:        Brandon Gillespie <brandon@roguetrader.com>
Cc:        freebsd-isp@FreeBSD.ORG
Subject:   Re: Security problem/oversight with user PPP!
Message-ID:  <Pine.BSF.3.95q.971105154517.2141J-100000@toon.homenet.ml.org>
In-Reply-To: <Pine.BSF.3.96.971104201200.2274C-100000@roguetrader.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 4 Nov 1997, Brandon Gillespie wrote:

 
> I don't want to bother with passwords in my PPP config system, because
> frankly, I dont care--I'm the only one using it.  But suddenly I find the
> new PPP is allowing anybody in the world to diddle with my ppp and its
> irritating!  (that doesn't sound good :)
> 
> Talk about a horrid default.
> 
> At the very least it should bind to port 3000 on LOCALHOST, why does there
> need to be global access to it?

	There is a way to block it, 
First make sure your kernel is built with firewall options with a line
like,

options        IPFIREWALL       #firewall
options         IPDIVERT       #divert sockets (i use for aliasing you
may not need)

then in your /etc/rc.conf turn on your firewall settings with this line

firewall="open"	# Set to firewall type or NO for none.

and then in the /etc/rc.firewall file i added these lines just before the
any from any policy but after the allowed localhost. .
 
/sbin/ipfw add 99 pass all from 127.0.0.1 to 127.0.0.1

if [ "${firewall_type}" = "open" ]; then
/sbin/ipfw add 100 deny tcp from any to <your ip> 3000 setup
/sbin/ipfw add 65000 pass all from any to any

.  .and this has worked great for me, simply blocking a connection in, and
notice you can still connect to 3000 via localhost.
	Of course you will have to tune it to your liking, I have two 
static ips and an aliased interface so I have a few additions to protect
me locally and from the outside world. . hopefully this will give you a
few ideas, 'man ipfw' will give you the rule lists to block just via an
interface, or just spcific ip's etc. . etc. . all depends on your
situation. 


kell
----------------------------------
Type Bits/KeyID    Date       User ID
pub  1024/2800AD1D 1997/10/15 toon <toonces@homenet.ml.org>
            Key fingerprint = 85 7D 9D 1D 89 57 3D CA  E2 19 8E 84 5A BD C3 90

finger toonces@homenet.ml.org for public key.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.971105154517.2141J-100000>