Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Aug 1999 20:56:54 -0700 (PDT)
From:      "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
To:        doconnor@gsoft.com.au (Daniel O'Connor)
Cc:        current@FreeBSD.ORG
Subject:   Re: Dropping connections without RST
Message-ID:  <199908170356.UAA10363@gndrsh.dnsmgr.net>
In-Reply-To: <XFMail.990817131226.doconnor@gsoft.com.au> from "Daniel O'Connor" at "Aug 17, 1999 01:12:26 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
> 
> On 17-Aug-99 Rodney W. Grimes wrote:
> >  I kinda like the idea of this, but can't that really just
> >  be done easily with a few ipfw rules, the last two being
> >  the important ones:
> >  
> >  for port in "22 53" ; do
> >       ipfw add allow udp from any to ${myip} ${port}
> >       ipfw add allow udp from ${myip} ${port} to any
> >       ipfw add allow tcp from any to ${myip} ${port}
> >       ipfw add allow tcp from ${myip} ${port} to any
> >  done
> >  ipfw add deny udp from any to ${myip}
> >  ipfw add deny tcp from any to ${myip}
> >  
> >  Why should we special case this?
> 
> Because this doesn't work for non-passive FTP for starters..

Now what would a box with so much security concern such that
it needed this knob be doing running an ftp session.... though
your point is valid and acceptable for low security boxes.  And
I can see the real benifit that having this knob for those boxes
would be, since it would mean not having to spend the care and
attention to create a proper firewall rule set.

The idea is okay in the general since, this is an easy knob to
add, it would increase the security of some boxes, and not require
great configuration pains of writting ipfw rules.

Would I use it in place of ipfw for what the original person asked
about, no way, not in a million years.  If I want a box secure it
is going to have ipfw or ipfilter rules down to the last detail.
Why, well, it would prevent some junior admin from defeating policy
by starting up something we don't want anyone to connect to on that
box, like ftpd...

IMHO, this know would give some folks a false since of security,
but not so much that I would argue about keeping it out.  

--
Rod Grimes - KD7CAX - (RWG25)                    rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908170356.UAA10363>