Router vs. Firewall [Re: OpenSSH 3.7.1p2]

Dagmar d'Surreal dagmar.wants at
Wed Sep 24 13:02:06 PDT 2003

On Wed, 2003-09-24 at 07:26, Michael Jastram wrote:
> This is kind of unrelated, but I am not clear on the following statement:
> > (The moral is, when you build a firewall, build a firewall and not
> > a router with filtering capabilities.)
> Dagmar, Could you clarify what you mean?  Are you implying that a firewall
> is more than just a set of filters, or do you mean that the firewall
> should not have routing capabilities?
> Confused...

I mean most people utterly disregard the Principle of Least Privilege
when designing their security policies, and the most stark contrast
between what is and what should be can be found in the firewall.

The Principle of Least Priviledge states "that which is not explicitly
allowed, is denied by default", and is not the same as looking at a lot
of different things that could happen and stopping them from happening. 
It's about not allowing _anything_ to happen, and only selectively
allowing the sane, trusted things you need to happen.

The main reason people make this mistake is that they just don't think
of the accurate interpretation of the rule as reasonable, so they
mentally translate it into something more permissive (which is logically
less secure).  They set up their router, and then add rules to filter
out certain traffic and call it a firewall, which is entirely
ass-backwards.  The process _should_ be setting up a machine which
doesn't pass any traffic and allows no connections at all, and then add
the ability to route traffic from some netblocks to specific ports and
machines on the other side.  If, for whatever reason, a service on a
host needs to be available from the network, it should be available to
only the fewest possible source addresses that are allowed access.  With
a public service like http this would be the planet, but for sshd? 
Absolutely not.

Folks who are allowing all types of traffic through their "firewall" and
who aren't starting with "ALL : ALL" in /etc/hosts.deny are just
basically targets waiting for the next exploit to be found. 
The email address above is phony because the people making archives of list
traffic publicly available on the web aren't taking measures to protect the
email addresses from filthy spammers.  
              AIM: evilDagmar  Jabber: evilDagmar at

More information about the lfs-security mailing list