Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Sep 1999 11:33:14 -0600
From:      Nate Williams <nate@mt.sri.com>
To:        Brett Glass <brett@lariat.org>
Cc:        Monte Westlund <montejw@memes.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: default rc.firewall
Message-ID:  <199909241733.LAA27644@mt.sri.com>
In-Reply-To: <4.2.0.58.19990924111600.04809a90@localhost>
References:  <3.0.5.32.19990923152232.007c94c0@memes.com> <4.2.0.58.19990924111600.04809a90@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help
> The default rc.firewall's "simple" ruleset lets through so little that it
> is not a good default for most users -- especially users who are creating
> a NAT router. (Of course, it does not work at all unless you set the
> variables near the beginning of the ruleset properly.)
> 
> Usually, I see folks add rules like the following:
> 
>      # Allow access to our WWW server and vice versa
>      $fwcmd add pass tcp from any to ${oip} 80 setup
>      $fwcmd add pass tcp from ${oip} 80 to any setup

Why are you allowing connections from your WWW server to folks?  WWW
traffic isn't generated *from* your server, but to your server.

>      # Allow FTP data channels in for active FTP
>      $fwcmd add pass log tcp from any 20 to any 1024-65535 setup

Active ftp is a nightmare waiting to happen.  My boxes are now all setup
to only do passive mode ftp, and aside from the hassle of installing
software that defaults to passive mode, they haven't noticed anything.

>      # Allow SSH through, both ways
>      $fwcmd add pass tcp from any to ${oip} 22
>      $fwcmd add pass tcp from $oip to any 22
> 
> Remember that if you have more than one external IP you will
> need to duplicate many rules.

Or, if you trust your internal users, you can simply use the rule

# Internal users are trusted to only create valid connections.

$fwcmd add pass tcp from $oip to any setup

Building a firewall is somtimes a hit/miss proposition because you never
know *what* kind of traffic is being generated on a LAN, and what I've
found is that too often I shut someone down from doing something they
think they want.

(On the other hand, with the number of hacks available to the world,
we've been able to convince the users and management that some of the
'nice' services they like are no longer a good idea, usually by pointing
them to a CERT advisory and/or similar document explaing how we can get
broken into with the service. :( )




Nate

> 
> --Brett
> 
> At 03:22 PM 9/23/99 -0700, Monte Westlund wrote:
> >Hello,
> >I setting up a FreeBSD box as firewall to a windows LAN. I've installed 2
> >NIC's. One connects to a DSL modem, the other connects to the LAN.
> >
> >Using the 'simple' firewall that is in the default rc.firewall I can't get
> >out from any of the machines on the LAN without adding
> >
> >allow ip from any to any
> >
> >to the ipfw rules. I have been adding it manually using 'ipfw add ....'
> >
> >Can anyone point me in the direction of an example of a 'modified'
> >rc.firewall for the simple firewall? Or give me an idea of what I need to
> >add/allow?
> >
> >Thanks,
> >Monte Westlund
> >
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-security" in the body of the message
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909241733.LAA27644>