Date: Sat, 4 Dec 1999 08:57:12 -0700 From: Nate Williams <nate@mt.sri.com> To: Adam Laurie <adam@algroup.co.uk> Cc: Nate Williams <nate@mt.sri.com>, "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <199912041557.IAA16413@mt.sri.com> In-Reply-To: <384910D5.43271787@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk> <3847C0CB.2E9774A@algroup.co.uk> <199912031601.JAA10973@mt.sri.com> <3847F55E.B546B2EB@algroup.co.uk> <199912031658.JAA11193@mt.sri.com> <3847F939.47978597@algroup.co.uk> <199912031729.KAA11375@mt.sri.com> <384812A7.EAAB3BD8@algroup.co.uk> <199912032006.NAA12109@mt.sri.com> <384910D5.43271787@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> > The problem is that there is no generic solution. > > As I pointed out earlier on, this is a generic solution - it just needs > a few different versions of the rules to cope with each scenario. I will > say it one last time, then give up: your ruleset allows UDP services to > be attacked from a "trusted" host, or something that is able to spoof > it. Mine does not. Except in many cases, the 'trusted' host *IS* the firewall itself, or a machine that you *can* trust if it's inside the firewall. This is acceptable in many cases, and for what it's worth, in my ruleset it still doesn't allow UDP services to be attacked. You didn't read *my* list of rules very carefully. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912041557.IAA16413>