Date: Fri, 24 Sep 1999 11:41:55 -0600 From: Brett Glass <brett@lariat.org> To: nate@mt.sri.com (Nate Williams) Cc: Monte Westlund <montejw@memes.com>, freebsd-security@FreeBSD.ORG Subject: Re: default rc.firewall Message-ID: <4.2.0.58.19990924113626.0480db00@localhost> In-Reply-To: <199909241733.LAA27644@mt.sri.com> References: <4.2.0.58.19990924111600.04809a90@localhost> <3.0.5.32.19990923152232.007c94c0@memes.com> <4.2.0.58.19990924111600.04809a90@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:33 AM 9/24/99 -0600, Nate Williams wrote: >Why are you allowing connections from your WWW server to folks? WWW >traffic isn't generated *from* your server, but to your server. Ah, but the same box is also doing NAT for internal machines. If connections on port 80 weren't allowed OUT, then people on the local "subnet 10" couldn't browse the Web. The person who posted the original message of this thread seemed to want NAT to work (please correct me if I'm wrong here). > > # Allow FTP data channels in for active FTP > > $fwcmd add pass log tcp from any 20 to any 1024-65535 setup > >Active ftp is a nightmare waiting to happen. My boxes are now all setup >to only do passive mode ftp, and aside from the hassle of installing >software that defaults to passive mode, they haven't noticed anything. Some software can't be made to do passive mode. I recently had to install this rule to get machines at a client site working. Yes, it's a significant "hole" in the firewall, but one that isn't easily exploited. >Or, if you trust your internal users, you can simply use the rule > ># Internal users are trusted to only create valid connections. > >$fwcmd add pass tcp from $oip to any setup This sort of rule is common. The main drawback is that it can let a Trojan Horse run rampant. >Building a firewall is somtimes a hit/miss proposition because you never >know *what* kind of traffic is being generated on a LAN, and what I've >found is that too often I shut someone down from doing something they >think they want. All too true. --Bret To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19990924113626.0480db00>