Date: Sun, 24 Feb 2002 15:05:33 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Matt Piechota <piechota@argolis.org> Cc: Ralph Huntington <rjh@mohawk.net>, freebsd-security@FreeBSD.ORG Subject: Re: Couple of concerns with default rc.firewall Message-ID: <20020224150533.C83869@blossom.cjclark.org> In-Reply-To: <20020224110246.M17449-100000@cithaeron.argolis.org>; from piechota@argolis.org on Sun, Feb 24, 2002 at 11:08:20AM -0500 References: <20020224104008.H14963-100000@mohegan.mohawk.net> <20020224110246.M17449-100000@cithaeron.argolis.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 24, 2002 at 11:08:20AM -0500, Matt Piechota wrote: > On Sun, 24 Feb 2002, Ralph Huntington wrote: > > > Maybe I'm missing the point, but doesn't "deny ip from any to any" (which > > is the last rule in a block-all-by-default firewall) doesn't that mean to > > block everything, meaning everything? Nothing would be allowed, not any > > icmp of any type or anything else. In order to allow anything in > > particular, that would have to be explicitly enabled in a prior (ipfw) > > rule, is that not correct? > > I think the question is did the FreeBSD team intentionally (for the > reasons of security) make the default install non-compliant with some > RFCs (read: broken), or was it just not thought of? Pretty much any kind of firewalling makes a system non-compliant. For example, not returning a RST on any TCP port not in the LISTEN state breaks the Standard. What's the first thing people do when firewalling a host? Block incoming TCP so it doesn't generate RSTs. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020224150533.C83869>