Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jason Stone (jason-fbsd-security_at_shalott.net)
Date: Thu Sep 12 2002 - 17:42:11 CDT
-----BEGIN PGP SIGNED MESSAGE-----
> > Having the firewall permit such packets and counting on the client to
> > correctly discard them is probably a bad idea - after all, if you trust
> > the clients to run a properly configured and non-broken OS, why have a
> > firewall at all?
> Defense in depth.
Yes, that's exactly my point - you are advocating that we have the
firewall permit more than we need to and trust the clients. I'm saying
that of course you try to do as good a job securing the clients as you
can, but you also have the firewall be as restrictive as possible so that
you're trusting the clients as little as possible.
> What happens if the packets don't go through the dynamic firewall? Or
> are sent in response to an internal request and dynamicly permitted
> Presuming that you should permit responses to internal requests because
> internally-initiated requests are supposed to be "safer" is an assumption
> that I question.
We are not presuming anything of the kind - obviously, any packets that
you mean to deny you set up deny rules for. We are talking about
a situation where you want to allow a particular outbound service. With
your ruleset, you are allowing packets back into the internal network that
should never be allowed in there. With a ruleset that involves
keep/check-state, you have the same semantics in terms of what you mean to
allow, but you deny more packets that shouldn't be allowed. And if you're
only setting keep-state on the rules allowing the outbound setup packets,
you probably don't have to worry about DoS.
allow tcp from $INET to any 22 setup
allow tcp from any 22 to $INET established
allow tcp from $INET to any 22 setup keep-state
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message