From owner-freebsd-bugs Fri Oct 29 14:51:55 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 486DA14D0A for ; Fri, 29 Oct 1999 14:51:41 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id PAA13670; Fri, 29 Oct 1999 15:51:41 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id PAA06826; Fri, 29 Oct 1999 15:51:40 -0600 Date: Fri, 29 Oct 1999 15:51:40 -0600 Message-Id: <199910292151.PAA06826@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Ronald F. Guilmette" Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: Some fixes for some non-features of the /etc/rc.firewall script In-Reply-To: <726.941233584@segfault.monkeys.com> References: <726.941233584@segfault.monkeys.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The second patch below allows outsiders to connect to your AUTH port (113). > I found that allowing this will cut down a lot on the number of pointless > "Deny" log messages you will get if you don't have this, because a *lot* > of things out in the real world (most notably Sendmail) _will_ try to > connect to your local auth port whenever you connect out to them. Or you can simply ignore them completely w/out logging them, since AUTH is a useless protocol, and you really shouldn't have a real AUTH daemon running on your box in any case. > The next patch allows ICMP packets and UDP packets to flow freely between > other machines on the local net and the current (firewall) machine and vise > versa. I don't see how allowing this could create a security threat, so > it seems to me that it ought to be allowed. I was definitely annoyed when, > after having first tried the "simple" firewall setup, I found that I could > no longer even ping the firewall machine from other machines on my own local > net. It depends on local policy whether or not the 'firewall' should be protected from internal users. In many installations (not mine, mind you) internal users are *also* suspect. > Last but not least, I added an EXPLICIT command: > > ipfw add deny log ip from any to any > > This is intended to take the place of the implicit default "fall through" > deny command that you will get anyway, with the only difference being that > _this one_ asks for denied packets to be logged (and the default rule doesn't > do that). I like this, but it's because I have something like it. However, I have 'ipfw add deny log all from any to any', since I don't want just to log ip stuff. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message