Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

From: Chuck Swiger (
Date: 06/02/05

  • Next message: Carson Gaspar: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
    Date: Wed, 1 Jun 2005 22:10:08 -0400

    [ This post has been editted per moderator request. While I support
    the idea of keeping a polite discussion, the moderator's timing was a
    bit late, perhaps... ]

    On Jun 1, 2005, at 6:26 PM, Darren Reed wrote:
    > On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote:
    [ ... ]
    >> You shouldn't permit inbound HTTP to any box, just to machines which
    >> actually are intended to run an HTTP server. You shouldn't enable
    >> WebDAV and SOAP and other fancy bits unless you need them. And you
    >> hopefully shouldn't permit arbitrary outbound HTTP, either: forward
    >> those via a proxy server.
    > Uh huh. But you're letting ssh out so how do you enforce any of this?

    I start by not giving logins and SSH access to users I don't trust.
    I don't give user access to servers and infrastructure like firewalls
    and switches that users don't need to have shells on. I also perform
    network monitoring, process monitoring on important servers, etc and
    look for traffic patterns which shouldn't be there to help catch the

    That, and I encourage users to SSH port forward using a semi-trusted
    machine in the DMZ, just as one ought to terminate a VPN endpoint in
    the DMZ by preference, where you can.

    [ ... ]
    >>> Personally, I'd prefer to be able to configure a UPnP server than
    >>> just
    >>> open random ports, permanently on my firewall, wouldn't you?
    >> No. I'd rather explicitly manage the services which are permitted
    >> through the firewall.
    > Hmmm, you've said "no" but then gone on to say exactly what I was
    > saying, or is there some part of "configure" that doesn't imply
    > "manage" ?

    Sure. If some random user or guest plugs in a laptop with an 802.11
    card or a wireless router to a companies' internal subnet, they've
    configured a backdoor, a network topology which goes around the
    firewall and thus is a serious hole to network security.

    That doesn't mean this action was "managed" as in, the person who
    runs the firewall and is responsible for security has approved it. I
    don't want a firewall I manage to open ports because some user
    somewhere has plugged in a new device that really thinks it ought to
    have access via UPnP to, well, anything that device might happen to

    >> If I cared about the security of the box in question, it wouldn't be
    >> running bittorrent or any other flavor of peer-to-peer networking.
    > Ok, so you're doing some gratuitious fishing for more personal
    > remarks?
    > Because I can't take what you've said seriously.

    I have nothing against Bittorrent, but I wouldn't run it, or Kazaa,
    or Grokster, on a machine with data that I care about keeping
    secret. I might be willing to set that software up on a box in the
    DMZ that does anonymous FTP, because I am willing to recover that
    data from backup if need be, and because I don't worry about
    disclosure of stuff which is already publicly available.

    However, I surely wouldn't run that kind of software on a mission-
    critical fileserver or database, and I surely won't advise anyone
    else to do so, either.

    firewall-wizards mailing list

  • Next message: Carson Gaspar: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"