Re: [SSHd] Limiting access from authorized IP's

Fri, 18 Apr 2008 08:59:36 -0700 

Paul Schmehl wrote:
I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. 


Firewalls are for preventing access to running services.  By definition, 
if you are running a service, you want it to be accessed.  So firewalls 
are self-defeating or completely useless at the host level **unless** 
you don't know what you're doing.  For an enterprise they make a great 
deal of sense.  No matter what a user inside your network might do, you 
can prevent access by simply not allowing traffic on that port.


On the whole I agree with you -- you should be able to view a firewall as
a luxury rather than a necessity on a well configured server.  However there
is one rather nasty loophole that you can block with a firewall which otherwise
is pretty impossible to deal with, at least on FreeBSD machines.

It's all to do with the weak routing model -- that is, a network packet to
an IP on one of a host's interfaces will be accepted on *any* interface on
that host[*].  So even though you protect services that are not meant to be
for public consumption by binding them to the loopback address, some one
can still send you a spoofed packet to 127.0.0.1 that arrives on your external
network i/f /and it will let you connect to the service bound to the loopback/
The attacker has to have access to the same layer 2 network as your host,
but sending the spoofed packet is as simple as tweaking the routing table.

See eg: 


   http://seclists.org/bugtraq/2001/Mar/0042.html

Blocking this sort of attack against the loopback address can be done with
the following 3 line PF firewall config.  Extending this to back-end networks
etc. is left as an exercise for the student:

  scrub in all
  pass all
  antispoof log quick for lo0

        Cheers,

        Matthew

[*] Which is not without its legitimate uses, as anyone who as ever configured
a load balancer using DSR mode will attest.

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW




Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to