From owner-freebsd-security Tue Feb 20 12: 5:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from quack.kfu.com (quack.kfu.com [205.178.90.194]) by hub.freebsd.org (Postfix) with ESMTP id 6A33637B4EC for ; Tue, 20 Feb 2001 12:05:47 -0800 (PST) (envelope-from nsayer@medusa.kfu.com) Received: from medusa.kfu.com (medusa.kfu.com [205.178.90.222]) by quack.kfu.com (8.11.1/8.11.1) with ESMTP id f1KK5kj48392 for ; Tue, 20 Feb 2001 12:05:46 -0800 (PST) (envelope-from nsayer@medusa.kfu.com) Received: (from nsayer@localhost) by medusa.kfu.com (8.11.1/8.11.0) id f1KK5kv83619 for freebsd-security@freebsd.org; Tue, 20 Feb 2001 12:05:46 -0800 (PST) (envelope-from nsayer) Date: Tue, 20 Feb 2001 12:05:46 -0800 (PST) From: Nick Sayer Message-Id: <200102202005.f1KK5kv83619@medusa.kfu.com> To: freebsd-security@freebsd.org Subject: /etc/rc.firewall fixes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would like to suggest a new "simple" firewall configuration. I recently put a security fix in the prototype /etc/rc.firewall stuff to close up a rather glaring security hole. The old stuff did pass udp from any 53 to ${oip} which allows someone to communicate, for instance, with port 2049 so long as they bind their end to 53. The state keeping stuff is the correct solution. My proposed "simple" firewall config goes something like this: check-state pass udp from ${mynet} to any keep-state pass all from ${mynet} to any pass tcp from any to any established pass icmp from any to any This simple set of rules represents a simple one-way set up. UDP is allowed to go out, and matching replies are allowed to come back in. TCP sessions are allowed to go out only. By itself it is not a complete ruleset, but I think it is a better one than any of the examples we presently have. I haven't committed this because I wanted to start some discussion first and commit the resulting consensus. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message