From owner-freebsd-current Mon Aug 16 20:57:24 1999 Delivered-To: freebsd-current@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 4169414E6E for ; Mon, 16 Aug 1999 20:57:18 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id UAA10363; Mon, 16 Aug 1999 20:56:54 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908170356.UAA10363@gndrsh.dnsmgr.net> Subject: Re: Dropping connections without RST In-Reply-To: from "Daniel O'Connor" at "Aug 17, 1999 01:12:26 pm" To: doconnor@gsoft.com.au (Daniel O'Connor) Date: Mon, 16 Aug 1999 20:56:54 -0700 (PDT) Cc: current@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > On 17-Aug-99 Rodney W. Grimes wrote: > > I kinda like the idea of this, but can't that really just > > be done easily with a few ipfw rules, the last two being > > the important ones: > > > > for port in "22 53" ; do > > ipfw add allow udp from any to ${myip} ${port} > > ipfw add allow udp from ${myip} ${port} to any > > ipfw add allow tcp from any to ${myip} ${port} > > ipfw add allow tcp from ${myip} ${port} to any > > done > > ipfw add deny udp from any to ${myip} > > ipfw add deny tcp from any to ${myip} > > > > Why should we special case this? > > Because this doesn't work for non-passive FTP for starters.. Now what would a box with so much security concern such that it needed this knob be doing running an ftp session.... though your point is valid and acceptable for low security boxes. And I can see the real benifit that having this knob for those boxes would be, since it would mean not having to spend the care and attention to create a proper firewall rule set. The idea is okay in the general since, this is an easy knob to add, it would increase the security of some boxes, and not require great configuration pains of writting ipfw rules. Would I use it in place of ipfw for what the original person asked about, no way, not in a million years. If I want a box secure it is going to have ipfw or ipfilter rules down to the last detail. Why, well, it would prevent some junior admin from defeating policy by starting up something we don't want anyone to connect to on that box, like ftpd... IMHO, this know would give some folks a false since of security, but not so much that I would argue about keeping it out. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message