Date: Wed, 21 Feb 2001 08:30:35 -0500 From: Mikel King <mikel@ocsinternet.com> To: Adam Laurie <adam@algroup.co.uk> Cc: Nick Sayer <nsayer@quack.kfu.com>, freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes Message-ID: <3A93C2FB.3E160997@ocsinternet.com> References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes I would tend to agree that it would be rather handy to have the config
outside of the rc.firewall, and rc.conf is a likely candidate. Presently do
this manually because I use have several scripts that use these common vars
like 'oif' and for maintenance purposes it's easier to have a central point
for their assignment.
cheers,
mikel
Adam Laurie wrote:
> Nick Sayer wrote:
> >
> > I would like to suggest a new "simple" firewall configuration.
> >
> > I recently put a security fix in the prototype /etc/rc.firewall
> > stuff to close up a rather glaring security hole.
> >
> > The old stuff did
> >
> > pass udp from any 53 to ${oip}
> >
> > which allows someone to communicate, for instance, with port 2049 so
> > long as they bind their end to 53. The state keeping stuff is the
> > correct solution.
> >
> > My proposed "simple" firewall config goes something like this:
> >
> > check-state
> > pass udp from ${mynet} to any keep-state
> > pass all from ${mynet} to any
> > pass tcp from any to any established
> > pass icmp from any to any
> >
> > This simple set of rules represents a simple one-way set up. UDP is
> > allowed to go out, and matching replies are allowed to come back in.
> > TCP sessions are allowed to go out only.
> >
> > By itself it is not a complete ruleset, but I think it is a better one
> > than any of the examples we presently have. I haven't committed this
> > because I wanted to start some discussion first and commit the resulting
> > consensus.
>
> while you're at it, all the variable definitions need to be moved out of
> rc.firewall itself and into rc.conf. i would also like to see a "mobile"
> section for ppp/dialup and will contribute mine if required... good luck
> with getting a commit! :)
>
> cheers,
> Adam
> --
> Adam Laurie Tel: +44 (20) 8742 0755
> A.L. Digital Ltd. Fax: +44 (20) 8742 5995
> Voysey House http://www.thebunker.net
> Barley Mow Passage http://www.aldigital.co.uk
> London W4 4GB mailto:adam@algroup.co.uk
> UNITED KINGDOM PGP key on keyservers
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A93C2FB.3E160997>