Date: Tue, 7 Jan 1997 07:01:16 +1100 (EST) From: proff@suburbia.net To: hackers@freebsd.org, security@freebsd.org Subject: new firewall code [uid/gid/bind() etc] Message-ID: <19970106200116.16168.qmail@suburbia.net>
next in thread | raw e-mail | index | archive | help
I tried posting the patches but, at 55k, it seems majordumbo has (silently) rejected them. You may find them at: ftp://suburbia.net/tmp/ipfw.diff My "socket credentials" patches allow you to: punch wormholes, or restrict access to the IPPORT_RESERVED space, or restrict access to bind() altogether based on: (a) uid (b) gid (including secondary groups) (c) port (d) protocol (e) interface And more importantly: Restrict access to packets being sent/received on any socket based on: (a) the packet (per normal ipfw rules) (b) uid (c) gid (including secondary groups) The former permits constructs like: /* let uid sendmail bind to port 25 */ # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind /* only let inetd bind - we presume inetd still needs to run as root for uid switching when forking off clients */ # addgroup inetd # chgrp inetd /usr/sbin/inetd # chmod 2700 /usr/sbin/inetd # killall inetd # ipfw add accept all from any to any bind gid inetd uid root # /* default policy is to deny bind */ /* keep those without security clearance out of secret network */ # ipfw add accept all from any to any via ed0 gid secret # ipfw add deny all from any to any via ed0 gid any Loging has also been enhanced: # ipfw add 60000 accept log all from any to any bind /* example of named starting up */ ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind Cheers, Julian <proff@iq.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970106200116.16168.qmail>