Date: Mon, 27 Nov 2000 13:10:52 -0700 (MST) From: Nate Williams <nate@yogotech.com> To: Wes Peters <wes@softweyr.com> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <14882.49100.131730.989201@nomad.yogotech.com> In-Reply-To: <3A221402.D88321D8@softweyr.com> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> <20001126140033.E70192@149.211.6.64.reflexcom.com> <3A218C5B.9F677E51@FreeBSD.org> <200011270130.UAA88239@khavrinen.lcs.mit.edu> <3A221402.D88321D8@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > allow udp from any to any out > > > > > But that's for my private home network. I trust myself to only send out > > > useful, productive packets. :) > > > > I must admit to being puzzled by home firewalls, at least among this > > group of people. Because many of these 'homes' have full-time connections, which are constantly scanned for weaknesses. > > If you've got some promiscuous operating system from > > Washington State running, I can somewhat understand doing that. Even FreeBSD (*gasp*) has security problems, especially older releases and/or misconfigured releases. Unless you want to upgrade every system in your network everytime a new security issue is found (and known), it's better to have a policy that minimizes risks, which includes a firewall. > > If > > you just have a single machine, which is under your direct control, > > then doing packet filtering is just silly. If your machine is I disagree completely. > > properly configured and secured, filtering out packets which would > > otherwise be thrown away anyway serves no useful purpose. Sure, but who determines if the packets are going to be thrown out, if not a firewall? Your upstream provider? Most decent ISP's are not into content-filtering your packets, so if you are silly enough to run something (accidentally or on purpose) then the packets will get out. > Since I have T-1 speeds coming into said basement, it is entirely likely > that somebody may notice and attempt to hijack one or more of my machines > to use in a DDOS attack. In fact, somebody already has tried. And failed. Only once? I'm scanned 3-4 times/day, and weekly get script kiddies attempting to do remote exploits. Having been responsible for monitoring a box on the internet full-time since '94, I can't imagine *NOT* using a firewall if you have a full-time connection, static IP or not. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14882.49100.131730.989201>