OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jason Stone (jason-fbsd-security_at_shalott.net)
Date: Thu Sep 12 2002 - 17:42:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > > Having the firewall permit such packets and counting on the client to
    > > correctly discard them is probably a bad idea - after all, if you trust
    > > the clients to run a properly configured and non-broken OS, why have a
    > > firewall at all?
    >
    > Defense in depth.

    Yes, that's exactly my point - you are advocating that we have the
    firewall permit more than we need to and trust the clients. I'm saying
    that of course you try to do as good a job securing the clients as you
    can, but you also have the firewall be as restrictive as possible so that
    you're trusting the clients as little as possible.

    > What happens if the packets don't go through the dynamic firewall? Or
    > are sent in response to an internal request and dynamicly permitted
    > through?

    > Presuming that you should permit responses to internal requests because
    > internally-initiated requests are supposed to be "safer" is an assumption
    > that I question.

    We are not presuming anything of the kind - obviously, any packets that
    you mean to deny you set up deny rules for. We are talking about
    a situation where you want to allow a particular outbound service. With
    your ruleset, you are allowing packets back into the internal network that
    should never be allowed in there. With a ruleset that involves
    keep/check-state, you have the same semantics in terms of what you mean to
    allow, but you deny more packets that shouldn't be allowed. And if you're
    only setting keep-state on the rules allowing the outbound setup packets,
    you probably don't have to worry about DoS.

    We're replacing:

        allow tcp from $INET to any 22 setup
        allow tcp from any 22 to $INET established

    with

        check-state
        allow tcp from $INET to any 22 setup keep-state

     -Jason

     -----------------------------------------------------------------------
     I worry about my child and the Internet all the time, even though she's
     too young to have logged on yet. Here's what I worry about. I worry
     that 10 or 15 years from now, she will come to me and say "Daddy, where
     were you when they took freedom of the press away from the Internet?"
            -- Mike Godwin

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (FreeBSD)
    Comment: See https://private.idealab.com/public/jason/jason.gpg

    iD8DBQE9gRhDswXMWWtptckRArKuAJ9bV+AM72M0sKZj63IkGLmCTbI9UwCgqbiz
    mqoMdw+4bj50uCVTFC4OTlw=
    =I8Mr
    -----END PGP SIGNATURE-----

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message