OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jason Stone (jason-fbsd-security_at_shalott.net)
Date: Thu Sep 12 2002 - 16:50:18 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > > but wont that actually result in an overly permissive firewall? e.g., if
    > > you want to allow outgoing http connections, you have to allow packets
    > > from
    > > any external server port 80 to a whole bunch of tcp ports on internal ips.
    >
    > Nope. While I prefer to use a proxy to centralize web access to the
    > outside via my interior firewall, you can also do something like:
    >
    > add pass tcp from $INET $HIPORTS to any 80,443
    > add pass tcp from any 80,433 to $INET $HIPORTS established
    >
    > Without performing the TCP 3-way startup (starting with a packet with SYN=
    > 1 and ACK=0), the TCP sequence numbers won't match and the client being
    > scanned from some random external IP will simply drop the invalid
    > connection attempt.

    Yes, unless of course the client has a broken tcp stack (think teardrop).

    Having the firewall permit such packets and counting on the client to
    correctly discard them is probably a bad idea - after all, if you trust
    the clients to run a properly configured and non-broken OS, why have a
    firewall at all?

    Packets that the client is just going to discard anyway should certainly
    be discarded by the firewall, and this is exactly what the
    keep-state/check-state rules do for you.

     -Jason

     -----------------------------------------------------------------------
     I worry about my child and the Internet all the time, even though she's
     too young to have logged on yet. Here's what I worry about. I worry
     that 10 or 15 years from now, she will come to me and say "Daddy, where
     were you when they took freedom of the press away from the Internet?"
            -- Mike Godwin

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (FreeBSD)
    Comment: See https://private.idealab.com/public/jason/jason.gpg

    iD8DBQE9gQwbswXMWWtptckRAkdHAKDgeWgGuPUEVqfsydsRRCOQ4Y2OZgCbBijU
    d/+GbAPNtjYpXh9XMbXkR2w=
    =qcl5
    -----END PGP SIGNATURE-----

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message