Date: Sun, 24 Feb 2002 15:05:33 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Matt Piechota <piechota@argolis.org> Cc: Ralph Huntington <rjh@mohawk.net>, freebsd-security@FreeBSD.ORG Subject: Re: Couple of concerns with default rc.firewall Message-ID: <20020224150533.C83869@blossom.cjclark.org> In-Reply-To: <20020224110246.M17449-100000@cithaeron.argolis.org>; from piechota@argolis.org on Sun, Feb 24, 2002 at 11:08:20AM -0500 References: <20020224104008.H14963-100000@mohegan.mohawk.net> <20020224110246.M17449-100000@cithaeron.argolis.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 24, 2002 at 11:08:20AM -0500, Matt Piechota wrote:
> On Sun, 24 Feb 2002, Ralph Huntington wrote:
>
> > Maybe I'm missing the point, but doesn't "deny ip from any to any" (which
> > is the last rule in a block-all-by-default firewall) doesn't that mean to
> > block everything, meaning everything? Nothing would be allowed, not any
> > icmp of any type or anything else. In order to allow anything in
> > particular, that would have to be explicitly enabled in a prior (ipfw)
> > rule, is that not correct?
>
> I think the question is did the FreeBSD team intentionally (for the
> reasons of security) make the default install non-compliant with some
> RFCs (read: broken), or was it just not thought of?
Pretty much any kind of firewalling makes a system non-compliant.
For example, not returning a RST on any TCP port not in the LISTEN
state breaks the Standard. What's the first thing people do when
firewalling a host? Block incoming TCP so it doesn't generate RSTs.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020224150533.C83869>