Date: Sat, 24 Aug 2002 12:49:43 +0200 (CEST) From: Rob J Meijer <rmeijer@xs4all.nl> To: freebsd-security@FreeBSD.ORG Subject: user based firewalling with ipfw and priviledged ports. Message-ID: <20020824100341.T75248-100000@xs1.xs4all.nl> In-Reply-To: <20020823083714.GA39848@killer.crypton.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Lately I have been trying to port a public domain software project of mine (cduck) to the FreeBSD platform. On the original platform (Linux) I made use of iptables with the owner module, and on FreeBSD of ipfw and the user based filtering that they provide. I use these filters in order to set up an extended chroot enviroment for servers that make up my project. For the most part this seems to work perfectly, and I did not discover the problem that seems to apear with both iptables on Linux and with ipfw on FreeBSD untill by change I ran into it while porting to FreeBSD. First I thought it was a problem only in FreeBSD, but later I confirmed that the same problem was also pressent on the original platform, and seems thus to be a rather fundamental problem. The problem is that I need to bind to a priviledged port, and in order to do this I need to start as root and than change the (e&r) uid of the process to the target uid. It apears that the changing of the process its uid does not change the way that the user bit of trafic from the specific socket is seen, both iptables and ipfw interpret the trafic as comming from the root user. For most part, with statical firewall rules this would not be a problem, however I am using the logs of ipfw in a trivial intrusion detection system (part of my project) that will try to pull the network plug on compromized subsystems by denying all trafic from the user that the service is running as. It seems this is a fundamental flaw in the design in ipfw on FreeBSD (and for that mnather also in iptables on Linux). Am I right in assuming this to be such a flaw, is this problem known, or is there some flaw in the way I am binding to a priviledged port that I could fix in my project. (I already tried duplicating the socket after changing user, this has no effect either). T.I.A. Rob J Meijer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020824100341.T75248-100000>