[SSHd] Limiting access from authorized IP's
m.seaman at infracaninophile.co.uk
Fri Apr 18 15:59:24 UTC 2008
Paul Schmehl wrote:
> I have maintained publicly available servers for a small hobby domain
> for almost ten years now. Initially, I bought in to this logic and ran
> a firewall. (At that time we only had one server.) What it cost me was
> CPU and memory. What it gained me was nothing. I turned it off. I have
> never run a firewall on a publicly available host since.
> Firewalls are for preventing access to running services. By definition,
> if you are running a service, you want it to be accessed. So firewalls
> are self-defeating or completely useless at the host level **unless**
> you don't know what you're doing. For an enterprise they make a great
> deal of sense. No matter what a user inside your network might do, you
> can prevent access by simply not allowing traffic on that port.
On the whole I agree with you -- you should be able to view a firewall as
a luxury rather than a necessity on a well configured server. However there
is one rather nasty loophole that you can block with a firewall which otherwise
is pretty impossible to deal with, at least on FreeBSD machines.
It's all to do with the weak routing model -- that is, a network packet to
an IP on one of a host's interfaces will be accepted on *any* interface on
that host[*]. So even though you protect services that are not meant to be
for public consumption by binding them to the loopback address, some one
can still send you a spoofed packet to 127.0.0.1 that arrives on your external
network i/f /and it will let you connect to the service bound to the loopback/
The attacker has to have access to the same layer 2 network as your host,
but sending the spoofed packet is as simple as tweaking the routing table.
Blocking this sort of attack against the loopback address can be done with
the following 3 line PF firewall config. Extending this to back-end networks
etc. is left as an exercise for the student:
scrub in all
antispoof log quick for lo0
[*] Which is not without its legitimate uses, as anyone who as ever configured
a load balancer using DSR mode will attest.
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080418/19bce50c/signature.pgp
More information about the freebsd-questions