From owner-freebsd-stable  Fri Feb 16 21:50:24 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from quack.kfu.com (quack.kfu.com [205.178.90.194])
	by hub.freebsd.org (Postfix) with ESMTP id EC0F237B65D
	for <freebsd-stable@FreeBSD.ORG>; Fri, 16 Feb 2001 21:50:21 -0800 (PST)
Received: from morpheus.kfu.com ([205.178.90.230])
	by quack.kfu.com (8.11.1/8.11.1) with ESMTP id f1H5oLv24293;
	Fri, 16 Feb 2001 21:50:21 -0800 (PST)
	(envelope-from nsayer@quack.kfu.com)
Received: from quack.kfu.com by morpheus.kfu.com  with ESMTP
        (8.11.1//ident-1.0) id f1H5oLd38702; Fri, 16 Feb 2001 21:50:21 -0800 (PST) 
Message-ID: <3A8E111C.9060100@quack.kfu.com>
Date: Fri, 16 Feb 2001 21:50:20 -0800
From: Nick Sayer <nsayer@quack.kfu.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD 4.2-RELEASE i386; en-US; 0.8) Gecko/20010216
X-Accept-Language: en-GB, en-US, en
MIME-Version: 1.0
To: Gordon Tetlow <gordont@bluemtn.net>
Cc: Trevin Chow <tmchow@sfu.ca>,
	FreeBSD Stable <freebsd-stable@FreeBSD.ORG>
Subject: Re: Can't Telnet but can SSH?
References: <Pine.BSF.4.31.0101170041540.13539-100000@sdmail0.sd.bmarts.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Gordon Tetlow wrote:


> 
> allow tcp from any to ${oip} 53 setup
> allow udp from any to ${oip} 53
> allow udp from ${oip} 53 to any
This is _exceedingly_ insecure. This allows anyone to bind any 
instrument of destruction they wish to their machine on port 53 and 
something more dangerous on your inside -- perhaps port 2049 (NFS)?

The proper solution to the problem is the stateful filtering in ipfw. 
Something like this:

ipfw add check-state
ipfw add pass udp from any to any out xmit ${oif} keep-state
ipfw add pass ip from any to any out xmit ${oif}
ipfw add pass tcp from any to any established

At this point you can add a series of tcp setup passes for allowed 
incoming connections. Such as:

ipfw add pass tcp from any to ${smtp_serv} 25 setup
ipfw add pass udp from any to ${dns_serv} 53 setup
ipfw add pass tcp from any to ${dns_serv} 53 setup
ipfw add pass tcp from any to ${www_serv} 80 setup

... and so on

That's not a complete firewall by any means. You'll want to add 
anti-spoofing and other sanity checks.

This rule fragment also obviates the need for any named.conf games to 
restrict the source port of DNS queries.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message