From owner-freebsd-security  Sat Dec  4  7:58:28 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91])
	by hub.freebsd.org (Postfix) with ESMTP
	id B197B14F6C; Sat,  4 Dec 1999 07:58:24 -0800 (PST)
	(envelope-from nate@mt.sri.com)
Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id IAA11471;
	Sat, 4 Dec 1999 08:57:13 -0700 (MST)
	(envelope-from nate@rocky.mt.sri.com)
Received: by mt.sri.com (SMI-8.6/SMI-SVR4)
	id IAA16413; Sat, 4 Dec 1999 08:57:12 -0700
Date: Sat, 4 Dec 1999 08:57:12 -0700
Message-Id: <199912041557.IAA16413@mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Adam Laurie <adam@algroup.co.uk>
Cc: Nate Williams <nate@mt.sri.com>,
	"Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>,
	John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG
Subject: Re: rc.firewall revisited
In-Reply-To: <384910D5.43271787@algroup.co.uk>
References: <199912021954.LAA74271@gndrsh.dnsmgr.net>
	<3846FA12.F1480F19@algroup.co.uk>
	<199912022343.QAA08462@mt.sri.com>
	<3847ACBE.3D66A556@algroup.co.uk>
	<3847C0CB.2E9774A@algroup.co.uk>
	<199912031601.JAA10973@mt.sri.com>
	<3847F55E.B546B2EB@algroup.co.uk>
	<199912031658.JAA11193@mt.sri.com>
	<3847F939.47978597@algroup.co.uk>
	<199912031729.KAA11375@mt.sri.com>
	<384812A7.EAAB3BD8@algroup.co.uk>
	<199912032006.NAA12109@mt.sri.com>
	<384910D5.43271787@algroup.co.uk>
X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid
Reply-To: nate@mt.sri.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > The problem is that there is no generic solution.
> 
> As I pointed out earlier on, this is a generic solution - it just needs
> a few different versions of the rules to cope with each scenario. I will
> say it one last time, then give up: your ruleset allows UDP services to
> be attacked from a "trusted" host, or something that is able to spoof
> it. Mine does not.

Except in many cases, the 'trusted' host *IS* the firewall itself, or a
machine that you *can* trust if it's inside the firewall.

This is acceptable in many cases, and for what it's worth, in my ruleset
it still doesn't allow UDP services to be attacked.  You didn't read
*my* list of rules very carefully.




Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message