Date: Fri, 24 Sep 1999 11:49:56 -0600 From: Nate Williams <nate@mt.sri.com> To: Brett Glass <brett@lariat.org> Cc: nate@mt.sri.com (Nate Williams), Monte Westlund <montejw@memes.com>, freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall Message-ID: <199909241749.LAA27881@mt.sri.com> In-Reply-To: <4.2.0.58.19990924113626.0480db00@localhost> References: <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <199909241733.LAA27644@mt.sri.com> <4.2.0.58.19990924113626.0480db00@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
> >Why are you allowing connections from your WWW server to folks? WWW > >traffic isn't generated *from* your server, but to your server. > > Ah, but the same box is also doing NAT for internal machines. If > connections on port 80 weren't allowed OUT, then people on the > local "subnet 10" couldn't browse the Web. The person who posted > the original message of this thread seemed to want NAT to work > (please correct me if I'm wrong here). > > > > # Allow FTP data channels in for active FTP > > > $fwcmd add pass log tcp from any 20 to any 1024-65535 setup > > > >Active ftp is a nightmare waiting to happen. My boxes are now all setup > >to only do passive mode ftp, and aside from the hassle of installing > >software that defaults to passive mode, they haven't noticed anything. > > Some software can't be made to do passive mode. Then use different software. Seriously, active-mode ftp is an exploit waiting to happen. Anyone can connect *from* port 20 on any box and connect to any site internal to your domain. Does the word 'back-orifice' mean anything to you? People can at will connect from the ftp-data port un-detected and connect to any other services running on any TCP port > 1024. > I recently had to install this rule to get machines at a client site > working. Yes, it's a significant "hole" in the firewall, but one that > isn't easily exploited. See above. It's trivial to exploit, and allow a scanner to use port-20 to see *ANY* internal services in your network w/out detection. (Yes, I am paranoid, but it comes from experience in these sorts of things. :( ) > >Or, if you trust your internal users, you can simply use the rule > > > ># Internal users are trusted to only create valid connections. > > > >$fwcmd add pass tcp from $oip to any setup > > This sort of rule is common. The main drawback is that it can let a Trojan > Horse run rampant. Yep. However, I haven't (yet!) found a way to keep my users from whining everytime I set a more strict policy. :( Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909241749.LAA27881>