From owner-freebsd-security  Sun Feb 24  0: 6:24 2002
Delivered-To: freebsd-security@freebsd.org
Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80])
	by hub.freebsd.org (Postfix) with SMTP id 3AB0737B400
	for <freebsd-security@FreeBSD.ORG>; Sun, 24 Feb 2002 00:06:21 -0800 (PST)
Received: (qmail 24669 invoked by uid 1001); 24 Feb 2002 08:06:01 -0000
Date: Sun, 24 Feb 2002 03:06:01 -0500
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: Jeff Palmer <scorpio@drkshdw.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Couple of concerns with default rc.firewall
Message-ID: <20020224030601.A24528@cowbert.2y.net>
Reply-To: peter.lai@uconn.edu
References: <003b01c1bcda$d4f06020$0286a8c0@home.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <003b01c1bcda$d4f06020$0286a8c0@home.lan>; from scorpio@drkshdw.org on Sat, Feb 23, 2002 at 09:27:39PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Some people prefer to block all ICMP, but personally, I do not
support that line of thought, because blocking ICMP breaks
routing RFCs.  Furthermore, although people can't say, ping your
box, they can still dos the machine by overwhelming the ipfw rules.


On Sat, Feb 23, 2002 at 09:27:39PM -0500, Jeff Palmer wrote:
> Hi all.
> 
> I have a few concerns with the default /etc/rc.firewall.
> It's fairly common practice (and typically considered to be the most secure practice) to build a default-to-deny firewall.  Only traffic that yous pecifically allow, can pass.
> 
> Taking this into consideration,  I checked 'man firewall' and find that it too, agrees with the above.
> 
> Having said that... is where we get into my problem.
> I compile my kernel with ipfw support.  Without the default_to_allow. and use a slightly modified "simple" configuration.  This,  by default denies all incoming icmp.
> So, I again referred back to 'man firewall' and again,  it agrees with my thinking..  Certain ICMP types are beneficial, and should not be denied (especially considering most users probably aren't "into" security  so they use a default firewall if any at all.)
> 
> Is there any reason in particular,  that ALL icmp traffic is denied by default,   except for using the 'open' ruleset?
> Or is this just a simple oversight,  that needs to be examined?
> 
> Thanks in advance for any feedback.
> Also,   thanks for NOT flaming me if I've missed something obvious.
> 

-- 
Peter C. Lai
University of Connecticut
Dept. of Residential Life | Programmer
Dept. of Molecular and Cell Biology | Undergraduate Research Assistant
http://cowbert.2y.net/
860.427.4542 (Room)
860.486.1899 (Lab)
203.206.3784 (Cellphone)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message