From owner-freebsd-hackers Mon Jun 2 03:37:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA11889 for hackers-outgoing; Mon, 2 Jun 1997 03:37:05 -0700 (PDT) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA11884 for ; Mon, 2 Jun 1997 03:37:03 -0700 (PDT) Received: (from eivind@localhost) by bitbox.follo.net (8.7.6/8.7.3) id MAA19344; Mon, 2 Jun 1997 12:36:30 +0200 (MET DST) Date: Mon, 2 Jun 1997 12:36:30 +0200 (MET DST) Message-Id: <199706021036.MAA19344@bitbox.follo.net> From: Eivind Eklund To: Harlan Stenn CC: perhaps@yes.no, hackers@FreeBSD.ORG In-reply-to: Harlan Stenn's message of Mon, 02 Jun 1997 04:33:16 -0300 Subject: Re: Improvements to rc.firewall? References: <199706020739.JAA18950@bitbox.follo.net> <5827.865240396@mumps.pfcs.com> Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [Harlan Stenn] > I "sort of" tested them, and they worked for me. > > I checked this out by doing a tcpdump of my ppp link, and looked at all > of the DNS traffic. Responses to my queries came in to *my* port 53. Only when it is your name server doing the queries. My test went somewhat like this (ifi.uio.no is an arbitrary name server): % nslookup www.netscape.com (get address - default local nameserver) % nslookup www.netscape.com ifi.uio.no (Don't get address) % ipfw add 50 allow udp from any 53 to any % nslookup www.netscape.com ifi.uio.no (get address) My default setup doesn't allow udp any 53 to any - I'm running a local name server. However, those that do not would be denied DNS, which is a Bad Thing. The part for firewall (not just strengthened host) might benefit from the change, though. > Independent of whether or not my suggested rule is wrong, the old rule > will give free reign to anybody who sends UDP packets from their NTP or > DNS ports. Yeah, that is a Bad Thing. I'm using a home brewed set of rules, so I haven't looked the standard ones over too closely - perhaps something like ipfw add pass udp from any 53 to %{ip} 53,1000-65535 #(or was that 32767?) would be better? It is still a vulnerability :-( I don't know enough about the NTP part to say anything, and I don't have time to do testing right now - sorry. Eivind.