Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 02 Nov 1999 20:33:49 +0000
From:      Adam Laurie <adam@algroup.co.uk>
To:        Brian Fundakowski Feldman <green@FreeBSD.org>
Cc:        Group Paranoia <security@FreeBSD.org>
Subject:   Re: hole(s) in default rc.firewall rules
Message-ID:  <381F4AAD.1D8E6001@algroup.co.uk>
References:  <Pine.BSF.4.10.9911012224120.54551-100000@green.myip.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

Brian Fundakowski Feldman wrote:
> 
> On Mon, 1 Nov 1999, Adam Laurie wrote:
> 
> > It seems to me that the following rules (and multiple variations)
> > provide a Great Big Hole(tm) through ipfw into your UDP services...
> 
> It's pretty simple to use the following.
> 
> >
> >     # Allow DNS queries out in the world
> >     $fwcmd add pass udp from any 53 to ${ip}
>                                                53
> >     $fwcmd add pass udp from ${ip} to any 53
> >
> >     # Allow NTP queries out in the world
> >     $fwcmd add pass udp from any 123 to ${ip}
>                                                123
> >     $fwcmd add pass udp from ${ip} to any 123
> >

Yes, but this wouldn't allow userland DNS (like nslookup). My final
suggestion, taking into account comments so far:

    # block low port and NFS UDP but allow outgoing and replies for DNS,
NTP
    # (and anything else that needs it).
    $fwcmd add pass udp from any to ${ip} 53,123
    $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
    $fwcmd add pass udp from any to any

And for those that don't think this is a serious issue...

Get a copy of netcat. Make sure syslogd is running in default mode (i.e.
without "-s" option) on the target "firewalled" server. Run the
following command on a machine outside the firewall:

  nc -u -p 53 -n [firewalled-server-ip] 514

and type some text in. Now go and tail /var/log/messages on the target
server, and you'll see the text that has just walked through your
firewall. I leave it as an exercise for the reader to exploit an NFS
mount in a similar fashion...

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?381F4AAD.1D8E6001>