[SSHd] Limiting access from authorized IP's

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Apr 18 15:59:24 UTC 2008

Paul Schmehl wrote:

> I have maintained publicly available servers for a small hobby domain 
> for almost ten years now.  Initially, I bought in to this logic and ran 
> a firewall. (At that time we only had one server.)  What it cost me was 
> CPU and memory. What it gained me was nothing.  I turned it off.  I have 
> never run a firewall on a publicly available host since.
> Firewalls are for preventing access to running services.  By definition, 
> if you are running a service, you want it to be accessed.  So firewalls 
> are self-defeating or completely useless at the host level **unless** 
> you don't know what you're doing.  For an enterprise they make a great 
> deal of sense.  No matter what a user inside your network might do, you 
> can prevent access by simply not allowing traffic on that port.

On the whole I agree with you -- you should be able to view a firewall as
a luxury rather than a necessity on a well configured server.  However there
is one rather nasty loophole that you can block with a firewall which otherwise
is pretty impossible to deal with, at least on FreeBSD machines.

It's all to do with the weak routing model -- that is, a network packet to
an IP on one of a host's interfaces will be accepted on *any* interface on
that host[*].  So even though you protect services that are not meant to be
for public consumption by binding them to the loopback address, some one
can still send you a spoofed packet to that arrives on your external
network i/f /and it will let you connect to the service bound to the loopback/
The attacker has to have access to the same layer 2 network as your host,
but sending the spoofed packet is as simple as tweaking the routing table.
See eg: 


Blocking this sort of attack against the loopback address can be done with
the following 3 line PF firewall config.  Extending this to back-end networks
etc. is left as an exercise for the student:

   scrub in all
   pass all
   antispoof log quick for lo0



[*] Which is not without its legitimate uses, as anyone who as ever configured
a load balancer using DSR mode will attest.

Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080418/19bce50c/signature.pgp

More information about the freebsd-questions mailing list