From owner-freebsd-security Mon Aug 23 14: 8:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id B30EF15792 for ; Mon, 23 Aug 1999 14:08:36 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id PAA02899; Mon, 23 Aug 1999 15:08:30 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id PAA02230; Mon, 23 Aug 1999 15:08:30 -0600 Date: Mon, 23 Aug 1999 15:08:30 -0600 Message-Id: <199908232108.PAA02230@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Rodney W. Grimes" Cc: nate@mt.sri.com (Nate Williams), freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <199908232053.NAA36241@gndrsh.dnsmgr.net> References: <199908232024.OAA01685@mt.sri.com> <199908232053.NAA36241@gndrsh.dnsmgr.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > I've got some rules in place, but if someone has gotten DNS firewall > > > > rules I'd be grateful to see them. > > > > > > These rules only log things, they are not meant to stop things, all logs > ^^^^^^^^ You didn't pay attention to this very > important point about what these rules DO. I also said later on how to > change them to do what you wanted. Sorry, you're right. I missed that. > > > ipfw add 10539 allow log tcp from any to any 53 > > > > This seems insecure to me. Any external host can connect to port 53 on > > your internal hosts. Also, internal hosts can 'leak' information out > > externally. > > You missed the clause above about ``only log things'', change that > rule from ``allow log'' to ``deny log'' and it does just what you > wanted. Gotcha. See below. > > > ipfw add 40530 allow udp from any to A.B.C.D 53 > > > > Fairly secure, as long as BIND on A.B.C.D is secure, which we hafta > > assume at some point. :) > > A.B.C.D is YOUR DNS server, you are in control of how secure it is. I know, I was (attempting) to be funny. Obviously I failed. :( > > > ipfw add 40530 allow udp from A.B.C.D 53 to any > > > ipfw add 40539 allow log udp from any to any 53 > > > > This is *NOT* secure, just like the TCP port. > > I'm ignoreing this, you didn't read very carefully. Right, it's the next rule that I *needed* though... > > > > > ipfw add 40539 allow log udp from any 53 to any > > > > This is also insecure, in that it allows anyone to use source port 53 to > > connect to *any* UDP port in your network. > > You have no idea what my other 400 rules do. All those other UDP ports > are handled some place else. If you wanted a full firewall rule set, > well, that'll be $100/hr... I've done my best, but I couldn't figure out a 'clean, effecient, and safe' way of allowing DNS (and NTP, which is in the same boat) to work. The rules before must disallow connections, but I don't see how you can do that and still allow connections from port 53. > > However, I don't like what I have, and was hoping someone could tell me > > how to lock things down better. > > Turn the box off? :-) :-) Yeah, wouldn't that be easy. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message