Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
From: Chuck Swiger (chuck_at_codefab.com)
To: email@example.com Date: Wed, 1 Jun 2005 22:10:08 -0400
[ This post has been editted per moderator request. While I support
the idea of keeping a polite discussion, the moderator's timing was a
bit late, perhaps... ]
On Jun 1, 2005, at 6:26 PM, Darren Reed wrote:
> On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote:
[ ... ]
>> You shouldn't permit inbound HTTP to any box, just to machines which
>> actually are intended to run an HTTP server. You shouldn't enable
>> WebDAV and SOAP and other fancy bits unless you need them. And you
>> hopefully shouldn't permit arbitrary outbound HTTP, either: forward
>> those via a proxy server.
> Uh huh. But you're letting ssh out so how do you enforce any of this?
I start by not giving logins and SSH access to users I don't trust.
I don't give user access to servers and infrastructure like firewalls
and switches that users don't need to have shells on. I also perform
network monitoring, process monitoring on important servers, etc and
look for traffic patterns which shouldn't be there to help catch the
That, and I encourage users to SSH port forward using a semi-trusted
machine in the DMZ, just as one ought to terminate a VPN endpoint in
the DMZ by preference, where you can.
[ ... ]
>>> Personally, I'd prefer to be able to configure a UPnP server than
>>> open random ports, permanently on my firewall, wouldn't you?
>> No. I'd rather explicitly manage the services which are permitted
>> through the firewall.
> Hmmm, you've said "no" but then gone on to say exactly what I was
> saying, or is there some part of "configure" that doesn't imply
> "manage" ?
Sure. If some random user or guest plugs in a laptop with an 802.11
card or a wireless router to a companies' internal subnet, they've
configured a backdoor, a network topology which goes around the
firewall and thus is a serious hole to network security.
That doesn't mean this action was "managed" as in, the person who
runs the firewall and is responsible for security has approved it. I
don't want a firewall I manage to open ports because some user
somewhere has plugged in a new device that really thinks it ought to
have access via UPnP to, well, anything that device might happen to
>> If I cared about the security of the box in question, it wouldn't be
>> running bittorrent or any other flavor of peer-to-peer networking.
> Ok, so you're doing some gratuitious fishing for more personal
> Because I can't take what you've said seriously.
I have nothing against Bittorrent, but I wouldn't run it, or Kazaa,
or Grokster, on a machine with data that I care about keeping
secret. I might be willing to set that software up on a box in the
DMZ that does anonymous FTP, because I am willing to recover that
data from backup if need be, and because I don't worry about
disclosure of stuff which is already publicly available.
However, I surely wouldn't run that kind of software on a mission-
critical fileserver or database, and I surely won't advise anyone
else to do so, either.
-- -Chuck _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards