Security warning with sshd

Alexander Leidinger Alexander at Leidinger.net
Tue Aug 23 16:54:41 GMT 2005


Stephen Major <smajor at gmail.com> wrote:

> The issue he is having I had the exact same problems, as soon as I changed
> my config to the one below poof no more problems. You can set your firewall
> however you want. I was just saying what gets rid of the problem he is
> having with ssh.

I wasn't commenting the ssh issue, since it isn't clear why the problem
exists. At least I haven't seen a problem analysis where the cause of this
was shown. Maybe I missed it. So your posting may be the right solution or
not. I don't know yet, and I don't care about this in this mail, since I
wasn't talking about the ssh issue (see below).

> So instead of ripping apart what I have said why do you not provide a better
> solution to the original question asked.

I wasn't ripping apart what you said. I just wanted to be helpful and share a
little bit of knowledge. You're mixing stateful with non-stateful rules and
this may result in unwanted packets traveling through the firewall. I
thought you (and maybe others) may be interested in this.

BTW.: in some environments this is a hole in the firewall and needs to be
fixed, so one shouldn't use this part of your example. Since the security
mailinglist is in the CC, we can't let this problem be uncommented.

Another helpful suggestion: Please don't quote everything and please write
your comments below the parts where they belong. This is common behavior in
the FreeBSD lists and doing the opposide will result in less (useful)
responses from some members of the lists (because it makes the mail harder
to read and people may decide to not spend the time to read the mail and
point out problem solutions or small bugs in your offering of a solution).

Bye,
Alexander.

-- 
http://www.Leidinger.net  Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org     netchild @ FreeBSD.org  : PGP ID = 72077137
To add insult to injury.
		-- Phaedrus




More information about the freebsd-questions mailing list