From owner-freebsd-security  Sat Dec  4 11:57:51 1999
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hub.freebsd.org (Postfix) with ESMTP
	id C5F7515215; Sat,  4 Dec 1999 11:57:34 -0800 (PST)
	(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id TAA05323; Sat, 4 Dec 1999 19:46:03 GMT
Message-ID: <38496F80.EEC8AD51@algroup.co.uk>
Date: Sat, 04 Dec 1999 19:46:08 +0000
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Nate Williams <nate@mt.sri.com>
Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>,
	John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG
Subject: Re: rc.firewall revisited
References: <199912021954.LAA74271@gndrsh.dnsmgr.net>
		<3846FA12.F1480F19@algroup.co.uk>
		<199912022343.QAA08462@mt.sri.com>
		<3847ACBE.3D66A556@algroup.co.uk>
		<3847C0CB.2E9774A@algroup.co.uk>
		<199912031601.JAA10973@mt.sri.com>
		<3847F55E.B546B2EB@algroup.co.uk>
		<199912031658.JAA11193@mt.sri.com>
		<3847F939.47978597@algroup.co.uk>
		<199912031729.KAA11375@mt.sri.com>
		<384812A7.EAAB3BD8@algroup.co.uk>
		<199912032006.NAA12109@mt.sri.com>
		<384910D5.43271787@algroup.co.uk> <199912041557.IAA16413@mt.sri.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Nate Williams wrote:
> 
> > > The problem is that there is no generic solution.
> >
> > As I pointed out earlier on, this is a generic solution - it just needs
> > a few different versions of the rules to cope with each scenario. I will
> > say it one last time, then give up: your ruleset allows UDP services to
> > be attacked from a "trusted" host, or something that is able to spoof
> > it. Mine does not.
> 
> Except in many cases, the 'trusted' host *IS* the firewall itself, or a
> machine that you *can* trust if it's inside the firewall.

Yes, but at some point in your chain you have to talk to the outside
world. It is at that point that you are vulnerable as you are trusting
an external machine.

> 
> This is acceptable in many cases, and for what it's worth, in my ruleset
> it still doesn't allow UDP services to be attacked.  You didn't read
> *my* list of rules very carefully.

Since you didn't post any rules, only statements about what they do, I
can't comment. Rod also claimed his ruleset was "safe", and you backed
him up, but it isn't.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message