Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
Sanjay Arora wrote: Hi all Just joined the list. Am mostly using IPcop other Linux flavours for perimeter firewalling. Needed ISP WAN-link balancing failover, hence my search for a new option. Also have started experimenting with freebsd, so choice was limited to either freebsd or linux. Have downloaded the iso...will install on a Pentium III 550 MHz and revert with feedback within the week. My thought is that any perimeter firewall should be a minimal design. Would not having php on pfsence make it vulnerable to php vulnerabilities, as well as those of apache. Haven't exactly tried it, so really haven't the right to comment on it but would the community please comment on this and other similar issues inherent in this architecture design? This part of the architecture has changed slightly from m0n0wall I believe, so if I go astray here, somebody kick me back into shape. ;) Basically, you can't get to PHP without first being authenticated. At this point, if you're authenticated, you have root access to the box. So who cares about any PHP vulnerabilities when you already have root access? And, as others said, most PHP problems are from sloppy PHP code, not issues within PHP itself. Besides, the ability to even attempt to login is restricted to LAN only by default, and if you're in a situation where you have to worry about what your internal users can attempt on the firewall, you can and should restrict that further. It's not like PHP is doing the actual firewalling.
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
Chris Buechler wrote: Sanjay Arora wrote: Hi all Just joined the list. Am mostly using IPcop other Linux flavours for perimeter firewalling. Needed ISP WAN-link balancing failover, hence my search for a new option. Also have started experimenting with freebsd, so choice was limited to either freebsd or linux. Have downloaded the iso...will install on a Pentium III 550 MHz and revert with feedback within the week. My thought is that any perimeter firewall should be a minimal design. Would not having php on pfsence make it vulnerable to php vulnerabilities, as well as those of apache. Haven't exactly tried it, so really haven't the right to comment on it but would the community please comment on this and other similar issues inherent in this architecture design? This part of the architecture has changed slightly from m0n0wall I believe, so if I go astray here, somebody kick me back into shape. ;) Basically, you can't get to PHP without first being authenticated. At this point, if you're authenticated, you have root access to the box. So who cares about any PHP vulnerabilities when you already have root access? And, as others said, most PHP problems are from sloppy PHP code, not issues within PHP itself. Besides, the ability to even attempt to login is restricted to LAN only by default, and if you're in a situation where you have to worry about what your internal users can attempt on the firewall, you can and should restrict that further. It's not like PHP is doing the actual firewalling. As an addition to this: If somebody doesn't like PHP on his firewall, he can just go back, install OpenBSD 3.8 and use vi to edit the rulesets and all the other configuration-options (VLANs, NAT, VPN etc. pp.). Until there's a multi-user, multi-customer capable interface that allows several virtual firewalls to be administered by different clients/customers, I'm not going to worry about PHP-security one single second. Firewalls, which are managed by a fat-client GUI also had their share of vulnerabilties precisely because the communication between the GUI and the firewall was badly designed or implemented. cheers, Rainer
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
On 11/28/05, Chris Buechler [EMAIL PROTECTED] wrote: This part of the architecture has changed slightly from m0n0wall I believe, so if I go astray here, somebody kick me back into shape. ;) *kick* Basically, you can't get to PHP without first being authenticated. At this point, if you're authenticated, you have root access to the box. These days, the auth is completely handled in PHP. So it's certainly possible. --Bill
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
On 11/28/05, Bill Marquette [EMAIL PROTECTED] wrote: On 11/28/05, Chris Buechler [EMAIL PROTECTED] wrote: This part of the architecture has changed slightly from m0n0wall I believe, so if I go astray here, somebody kick me back into shape. ;) *kick* Basically, you can't get to PHP without first being authenticated. At this point, if you're authenticated, you have root access to the box. These days, the auth is completely handled in PHP. So it's certainly possible. Yes, the moral of the story is to lock down the WebGUI to only trusted IP's.
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
On Mon, 2005-11-28 at 15:43 -0500, Scott Ullrich wrote: On 11/28/05, Bill Marquette [EMAIL PROTECTED] wrote: On 11/28/05, Chris Buechler [EMAIL PROTECTED] wrote: This part of the architecture has changed slightly from m0n0wall I believe, so if I go astray here, somebody kick me back into shape. ;) *kick* Basically, you can't get to PHP without first being authenticated. At this point, if you're authenticated, you have root access to the box. These days, the auth is completely handled in PHP. So it's certainly possible. Yes, the moral of the story is to lock down the WebGUI to only trusted IP's. Me?..I'm going to be paranoid and not allow access to WebGUI from the WAN side at all. Anyways, the port 80 is going to be redirected to DMZ, so its the only place anyone can get to playand hell ...thats where php apps...poorly coded or not...will be ;-(( However, I would like to make one request to the project design...users be given easily configured modular way to remove (i.e. not compile in) services they do not want on the pfsense box, i.e. the ones that are not basic to the basic firewall function its GUI e.g. httpd, php cgi. Will pick up the thread again after evaluating myself. With best regards. Sanjay.
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
At 07:32 PM 11/28/2005, you wrote: Will pick up the thread again after evaluating myself. Hmmm... Psychiatrict problems? :)
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
On 11/28/05, Sanjay Arora [EMAIL PROTECTED] wrote: However, I would like to make one request to the project design...users be given easily configured modular way to remove (i.e. not compile in) services they do not want on the pfsense box, i.e. the ones that are not basic to the basic firewall function its GUI e.g. httpd, php cgi. Please see the thread titled Unfork m0n0wall. In paticular, Chris's response to removing non-base items. Scott
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
On 11/28/05, Sanjay Arora [EMAIL PROTECTED] wrote: However, I would like to make one request to the project design...users be given easily configured modular way to remove (i.e. not compile in) services they do not want on the pfsense box, i.e. the ones that are not basic to the basic firewall function its GUI e.g. httpd, php cgi. Request evaluated. W/out the webGUI, it wouldn't be pfSense, it'd be FreeBSD. So uhhh, just install FreeBSD and modify pf.conf by hand ;) You can then rewrite pfSense in shell and feel free not to include a webGUI or use an XML config file (face it, it's not easy to parse that in shell!). Seriously, the whole point of pfSense is the GUI, if you don't want it, and I mean this in the nicest way possible, you really really don't want pfSense. --Bill
Re: [pfSense-discussion] Newbie Q: security of php on perimeter firewall
On Mon, 2005-11-28 at 20:13 -0600, Bill Marquette wrote: OK, apparently I can't read English...disregard (unless you choose not to of course). Upon the 4th read of this, I deciphered the meaning, which wasn't all that difficult to figure out if I'd read it slower the first three times. Erg. *putting on the dunce cap* --Bill Sorry Bill Can't licence my proprietary cap to you ;-) Best regards. Sanjay.
[pfSense-discussion] Newbie Q: security of php on perimeter firewall
Hi all Just joined the list. Am mostly using IPcop other Linux flavours for perimeter firewalling. Needed ISP WAN-link balancing failover, hence my search for a new option. Also have started experimenting with freebsd, so choice was limited to either freebsd or linux. Have downloaded the iso...will install on a Pentium III 550 MHz and revert with feedback within the week. My thought is that any perimeter firewall should be a minimal design. Would not having php on pfsence make it vulnerable to php vulnerabilities, as well as those of apache. Haven't exactly tried it, so really haven't the right to comment on it but would the community please comment on this and other similar issues inherent in this architecture design? With best regards best wishes for the project. Sanjay.