Date: Mon, 2 Jun 1997 12:36:30 +0200 (MET DST) From: Eivind Eklund <perhaps@yes.no> To: Harlan Stenn <Harlan.Stenn@pfcs.com> Cc: perhaps@yes.no, hackers@FreeBSD.ORG Subject: Re: Improvements to rc.firewall? Message-ID: <199706021036.MAA19344@bitbox.follo.net> In-Reply-To: Harlan Stenn's message of Mon, 02 Jun 1997 04:33:16 -0300 References: <199706020739.JAA18950@bitbox.follo.net> <5827.865240396@mumps.pfcs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[Harlan Stenn]
> I "sort of" tested them, and they worked for me.
>
> I checked this out by doing a tcpdump of my ppp link, and looked at all
> of the DNS traffic. Responses to my queries came in to *my* port 53.
Only when it is your name server doing the queries. My test went
somewhat like this (ifi.uio.no is an arbitrary name server):
% nslookup www.netscape.com
(get address - default local nameserver)
% nslookup www.netscape.com ifi.uio.no
(Don't get address)
% ipfw add 50 allow udp from any 53 to any
% nslookup www.netscape.com ifi.uio.no
(get address)
My default setup doesn't allow udp any 53 to any - I'm running a local
name server. However, those that do not would be denied DNS, which is
a Bad Thing. The part for firewall (not just strengthened host) might
benefit from the change, though.
> Independent of whether or not my suggested rule is wrong, the old rule
> will give free reign to anybody who sends UDP packets from their NTP or
> DNS ports.
Yeah, that is a Bad Thing. I'm using a home brewed set of rules, so I
haven't looked the standard ones over too closely - perhaps something
like
ipfw add pass udp from any 53 to %{ip} 53,1000-65535 #(or was that 32767?)
would be better? It is still a vulnerability :-(
I don't know enough about the NTP part to say anything, and I don't
have time to do testing right now - sorry.
Eivind.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706021036.MAA19344>