Date: Sat, 20 Jul 2002 18:51:12 +1000 From: Mark.Andrews@isc.org To: peter.lai@uconn.edu Cc: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= <arvinn@whitebird.no>, bart@dreamflow.nl, markd@cogeco.ca, security@FreeBSD.ORG Subject: Re: ipfw and it's glory... Message-ID: <200207200851.g6K8pCJe016634@drugs.dv.isc.org> In-Reply-To: Your message of "Sat, 20 Jul 2002 00:16:30 -0400." <20020720001630.A56591@cowbert.2y.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sat, Jul 20, 2002 at 09:54:28AM +1000, Mark.Andrews@isc.org wrote: > > > > > >> # Allow "local" traffic > > > >> ipfw add allow all from any to any via lo0 > > > >> > > > >> # Allow all outgoing trafic > > > >> ipfw add allow all from any to any out > > > > > > > > This is a bad idea. You should only allow out what you > > > > will accept back in. If you don't you will eventually be > > > > guilty of pounding some poor server because you havn't > > > > allowed the answers to come back. > > > > > > I can't see why that's a bad idea. > > > ipfw does allow tcp ACK back through the firewall doesn't it? > > > > Not by default. The example this came from didn't allow > > the ACK's back in all cases. > > > > > What do you mean only allow out what will accept in? > > > > Communication is a two way street. For TCP and UDP > > you have <local-address,local-port> <remote-address,remote-port>. > > > > If you allow a packet out from <local-address,local-port> to > > <remote-address,remote-port> you should allow packets from > > <remote-address,remote-port> to <local-address,local-port> > > back it. Or to put it another way if you don't let > > <remote-address,remote-port> to <local-address,local-port> in > > then you don't let <local-address,local-port> to <remote-address, > > remote-port> out. > > > > If you have "ipfw add allow all from any to any out" then > > you should have "ipfw add allow all from any to any in". > > > > Or use a rule like 'allow all from any to any out [setup|keep-state] > to keep the channel open. (with setup, you'll need an 'allow from > any to any in established' rule and with keep-state you'll need > to check-state). Sure there are plenty of ways to solve the problem, keep-state amongst them. The point still is that you should not allow out what you will not allow back in. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207200851.g6K8pCJe016634>