Date: Sat, 20 Jul 2002 00:16:30 -0400 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: Mark.Andrews@isc.org Cc: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= <arvinn@whitebird.no>, Mark_Andrews@isc.org, bart@dreamflow.nl, markd@cogeco.ca, security@FreeBSD.ORG Subject: Re: ipfw and it's glory... Message-ID: <20020720001630.A56591@cowbert.2y.net> In-Reply-To: <200207192354.g6JNsSJe016025@drugs.dv.isc.org>; from Mark.Andrews@isc.org on Sat, Jul 20, 2002 at 09:54:28AM %2B1000 References: <4210.217.118.33.65.1027111345.squirrel@everlast.whitebird.no> <200207192354.g6JNsSJe016025@drugs.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 20, 2002 at 09:54:28AM +1000, Mark.Andrews@isc.org wrote: > > > >> # Allow "local" traffic > > >> ipfw add allow all from any to any via lo0 > > >> > > >> # Allow all outgoing trafic > > >> ipfw add allow all from any to any out > > > > > > This is a bad idea. You should only allow out what you > > > will accept back in. If you don't you will eventually be > > > guilty of pounding some poor server because you havn't > > > allowed the answers to come back. > > > > I can't see why that's a bad idea. > > ipfw does allow tcp ACK back through the firewall doesn't it? > > Not by default. The example this came from didn't allow > the ACK's back in all cases. > > > What do you mean only allow out what will accept in? > > Communication is a two way street. For TCP and UDP > you have <local-address,local-port> <remote-address,remote-port>. > > If you allow a packet out from <local-address,local-port> to > <remote-address,remote-port> you should allow packets from > <remote-address,remote-port> to <local-address,local-port> > back it. Or to put it another way if you don't let > <remote-address,remote-port> to <local-address,local-port> in > then you don't let <local-address,local-port> to <remote-address, > remote-port> out. > > If you have "ipfw add allow all from any to any out" then > you should have "ipfw add allow all from any to any in". > Or use a rule like 'allow all from any to any out [setup|keep-state] to keep the channel open. (with setup, you'll need an 'allow from any to any in established' rule and with keep-state you'll need to check-state). > The firewall was not configured like that. It restricted > in bound traffic so it should similarly restrict out bound > traffic. > > You should also allow back in any ICMP traffic that may be > generated as a result of allowing those UDP and TCP packet > out. Similarly you should allow out any ICMP traffic > generated as a result of letting TCP and UDP packets in. > This is essential for correct operation of IP, UDP and TCP. > > Mark > > > The source and destinations ports never have the same port numbers > > anyway. > > > > Arvinn > > > > -- > Mark Andrews, Internet Software Consortium > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020720001630.A56591>