From owner-freebsd-security Wed Jun 14 13:35:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from horizon.barak-online.net (horizon.barak.net.il [206.49.94.218]) by hub.freebsd.org (Postfix) with ESMTP id 785F037C245 for ; Wed, 14 Jun 2000 13:34:58 -0700 (PDT) (envelope-from bk532@iname.com) Received: from localhost.local.net (pop09-1-ras1-p180.barak.net.il [212.150.8.180]) by horizon.barak-online.net (8.9.3/8.9.1) with ESMTP id XAA15070; Wed, 14 Jun 2000 23:34:01 +0300 (IDT) Received: from iname.com (localhost.local.net [127.0.0.1]) by localhost.local.net (8.9.3/8.9.3) with ESMTP id NAA16732; Wed, 14 Jun 2000 13:46:48 +0300 (IDT) (envelope-from bk532@iname.com) Message-ID: <39476294.5A2D178D@iname.com> Date: Wed, 14 Jun 2000 13:46:44 +0300 From: Boris Karnaukh Organization: Private person X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: Hugh Ho , freebsd-security@freebsd.org Subject: Re: IPFW rules for DNS? References: <20000613014237.10942.qmail@web210.mail.yahoo.com> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hugh Ho wrote: > > I need to do nslookup quite often, and I have the following IPFW rules which > allow nslookup to talk to my ISP's DNS server: > > allow udp from ${my_ip} to ${dns_server} 53 > allow udp from ${dns_server} 53 to ${my_ip} > > Problem with the above rules is that people can pass IPFW if they use UDP port > 53 with a spoofed IP that matches my ISP's DNS server. Is there a way to fix my > problem? You can try to implement keep-state/check-state in your ruleset. check-state allow udp from ${my_ip} to ${dns_server} 53 keep-state I think that approach can shorten period of time when your computer is opened to udp traffic from outside. Thus you'll be not so vulnerable to incoming stream of spoofed DNS replies. -- Boris Karnaukh (mailto:bk532@iname.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message