Date: Thu, 12 Sep 2002 15:42:11 -0700 (PDT) From: Jason Stone <jason-fbsd-security@shalott.net> To: <freebsd-security@FreeBSD.ORG> Subject: Re: ipfw, natd, and keep-state - strange behavior? Message-ID: <20020912152423.M3276-100000@walter> In-Reply-To: <12908E71-C69D-11D6-90D4-000A27D85A7E@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> > Having the firewall permit such packets and counting on the client to
> > correctly discard them is probably a bad idea - after all, if you trust
> > the clients to run a properly configured and non-broken OS, why have a
> > firewall at all?
>
> Defense in depth.
Yes, that's exactly my point - you are advocating that we have the
firewall permit more than we need to and trust the clients. I'm saying
that of course you try to do as good a job securing the clients as you
can, but you also have the firewall be as restrictive as possible so that
you're trusting the clients as little as possible.
> What happens if the packets don't go through the dynamic firewall? Or
> are sent in response to an internal request and dynamicly permitted
> through?
> Presuming that you should permit responses to internal requests because
> internally-initiated requests are supposed to be "safer" is an assumption
> that I question.
We are not presuming anything of the kind - obviously, any packets that
you mean to deny you set up deny rules for. We are talking about
a situation where you want to allow a particular outbound service. With
your ruleset, you are allowing packets back into the internal network that
should never be allowed in there. With a ruleset that involves
keep/check-state, you have the same semantics in terms of what you mean to
allow, but you deny more packets that shouldn't be allowed. And if you're
only setting keep-state on the rules allowing the outbound setup packets,
you probably don't have to worry about DoS.
We're replacing:
allow tcp from $INET to any 22 setup
allow tcp from any 22 to $INET established
with
check-state
allow tcp from $INET to any 22 setup keep-state
-Jason
-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE9gRhDswXMWWtptckRArKuAJ9bV+AM72M0sKZj63IkGLmCTbI9UwCgqbiz
mqoMdw+4bj50uCVTFC4OTlw=
=I8Mr
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020912152423.M3276-100000>