Date: Wed, 20 Jun 2001 21:53:00 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Malcolm <malcolm@ocf.berkeley.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter and security Message-ID: <20010620215300.C740@blossom.cjclark.org> In-Reply-To: <Pine.SOL.4.33.0106201809290.23365-100000@famine.OCF.Berkeley.EDU>; from malcolm@ocf.berkeley.edu on Wed, Jun 20, 2001 at 06:18:33PM -0700 References: <Pine.SOL.4.33.0106201809290.23365-100000@famine.OCF.Berkeley.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > Hi folks, > What do we think about installing IPFilter on non-gateway boxes > and using it to block all incoming traffic except for whatever ports > we want to use on our server (e.g., http, ftp)? Well, "we" (OK, just me) think that it depends entirely on the purpose of the box and your local security policies. There is no "right" answer. But some two things to consider: If you have locked down services on a box and then firewall but allow access to these services, what are you protecting? What does the firewall actually do to hamper a remote attacker? It really does not add anything. However, closing up all services is not as easy as it sounds and a firewall is an extra layer of protection against mistakes in locking them down. IMHO, unless the box is security critical, the administrative costs of all of the firewalling probably exceeds the security gain for resisting external attack. However, a firewall in this situation might protect you more from _local_ users. That is, local users cannot start listening daemons on high ports on their own. Again, depending on the site policy, this may be good or bad. If policy is that users are trusted and _should_ be able to do things like that, firewalling is bad. OTOH, if users are less trusted and policy forbids these things, firewalling is the best way to stop it. $0.02 for ya'. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010620215300.C740>