From owner-freebsd-isp Wed Nov 5 13:08:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id NAA08335 for isp-outgoing; Wed, 5 Nov 1997 13:08:04 -0800 (PST) (envelope-from owner-freebsd-isp) Received: from toon.homenet.ml.org (homenet.ml.org [207.210.90.201]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id NAA08280 for ; Wed, 5 Nov 1997 13:07:56 -0800 (PST) (envelope-from toonces@homenet.ml.org) From: toonces@homenet.ml.org Received: from toon.homenet.ml.org (toonces@toon.homenet.ml.org [10.0.0.1]) by toon.homenet.ml.org (8.8.5/8.8.5) with SMTP id QAA04707; Wed, 5 Nov 1997 16:11:21 -0500 (EST) Date: Wed, 5 Nov 1997 16:11:18 -0500 (EST) To: Brandon Gillespie cc: freebsd-isp@FreeBSD.ORG Subject: Re: Security problem/oversight with user PPP! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 4 Nov 1997, Brandon Gillespie wrote: > I don't want to bother with passwords in my PPP config system, because > frankly, I dont care--I'm the only one using it. But suddenly I find the > new PPP is allowing anybody in the world to diddle with my ppp and its > irritating! (that doesn't sound good :) > > Talk about a horrid default. > > At the very least it should bind to port 3000 on LOCALHOST, why does there > need to be global access to it? There is a way to block it, First make sure your kernel is built with firewall options with a line like, options IPFIREWALL #firewall options IPDIVERT #divert sockets (i use for aliasing you may not need) then in your /etc/rc.conf turn on your firewall settings with this line firewall="open" # Set to firewall type or NO for none. and then in the /etc/rc.firewall file i added these lines just before the any from any policy but after the allowed localhost. . /sbin/ipfw add 99 pass all from 127.0.0.1 to 127.0.0.1 if [ "${firewall_type}" = "open" ]; then /sbin/ipfw add 100 deny tcp from any to 3000 setup /sbin/ipfw add 65000 pass all from any to any . .and this has worked great for me, simply blocking a connection in, and notice you can still connect to 3000 via localhost. Of course you will have to tune it to your liking, I have two static ips and an aliased interface so I have a few additions to protect me locally and from the outside world. . hopefully this will give you a few ideas, 'man ipfw' will give you the rule lists to block just via an interface, or just spcific ip's etc. . etc. . all depends on your situation. kell ---------------------------------- Type Bits/KeyID Date User ID pub 1024/2800AD1D 1997/10/15 toon Key fingerprint = 85 7D 9D 1D 89 57 3D CA E2 19 8E 84 5A BD C3 90 finger toonces@homenet.ml.org for public key.