Date: Tue, 20 Feb 2001 12:05:46 -0800 (PST) From: Nick Sayer <nsayer@quack.kfu.com> To: freebsd-security@freebsd.org Subject: /etc/rc.firewall fixes Message-ID: <200102202005.f1KK5kv83619@medusa.kfu.com>
next in thread | raw e-mail | index | archive | help
I would like to suggest a new "simple" firewall configuration.
I recently put a security fix in the prototype /etc/rc.firewall
stuff to close up a rather glaring security hole.
The old stuff did
pass udp from any 53 to ${oip}
which allows someone to communicate, for instance, with port 2049 so
long as they bind their end to 53. The state keeping stuff is the
correct solution.
My proposed "simple" firewall config goes something like this:
check-state
pass udp from ${mynet} to any keep-state
pass all from ${mynet} to any
pass tcp from any to any established
pass icmp from any to any
This simple set of rules represents a simple one-way set up. UDP is
allowed to go out, and matching replies are allowed to come back in.
TCP sessions are allowed to go out only.
By itself it is not a complete ruleset, but I think it is a better one
than any of the examples we presently have. I haven't committed this
because I wanted to start some discussion first and commit the resulting
consensus.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102202005.f1KK5kv83619>