From owner-freebsd-security Sat Aug 24 3:49:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED5C837B400 for ; Sat, 24 Aug 2002 03:49:45 -0700 (PDT) Received: from mxzilla3.xs4all.nl (mxzilla3.xs4all.nl [194.109.6.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB83143E77 for ; Sat, 24 Aug 2002 03:49:44 -0700 (PDT) (envelope-from rmeijer@xs4all.nl) Received: from xs1.xs4all.nl (xs1.xs4all.nl [194.109.6.80]) by mxzilla3.xs4all.nl (8.12.3/8.12.3) with ESMTP id g7OAnhkb044206 for ; Sat, 24 Aug 2002 12:49:43 +0200 (CEST) Received: from localhost (rmeijer@localhost) by xs1.xs4all.nl (8.11.6/8.11.6) with ESMTP id g7OAnhg01051 for ; Sat, 24 Aug 2002 12:49:43 +0200 (CEST) (envelope-from rmeijer@xs1.xs4all.nl) Date: Sat, 24 Aug 2002 12:49:43 +0200 (CEST) From: Rob J Meijer To: freebsd-security@FreeBSD.ORG Subject: user based firewalling with ipfw and priviledged ports. In-Reply-To: <20020823083714.GA39848@killer.crypton.pl> Message-ID: <20020824100341.T75248-100000@xs1.xs4all.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lately I have been trying to port a public domain software project of mine (cduck) to the FreeBSD platform. On the original platform (Linux) I made use of iptables with the owner module, and on FreeBSD of ipfw and the user based filtering that they provide. I use these filters in order to set up an extended chroot enviroment for servers that make up my project. For the most part this seems to work perfectly, and I did not discover the problem that seems to apear with both iptables on Linux and with ipfw on FreeBSD untill by change I ran into it while porting to FreeBSD. First I thought it was a problem only in FreeBSD, but later I confirmed that the same problem was also pressent on the original platform, and seems thus to be a rather fundamental problem. The problem is that I need to bind to a priviledged port, and in order to do this I need to start as root and than change the (e&r) uid of the process to the target uid. It apears that the changing of the process its uid does not change the way that the user bit of trafic from the specific socket is seen, both iptables and ipfw interpret the trafic as comming from the root user. For most part, with statical firewall rules this would not be a problem, however I am using the logs of ipfw in a trivial intrusion detection system (part of my project) that will try to pull the network plug on compromized subsystems by denying all trafic from the user that the service is running as. It seems this is a fundamental flaw in the design in ipfw on FreeBSD (and for that mnather also in iptables on Linux). Am I right in assuming this to be such a flaw, is this problem known, or is there some flaw in the way I am binding to a priviledged port that I could fix in my project. (I already tried duplicating the socket after changing user, this has no effect either). T.I.A. Rob J Meijer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message