From owner-freebsd-security Thu Sep 25 07:55:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA20484 for security-outgoing; Thu, 25 Sep 1997 07:55:17 -0700 (PDT) Received: from hawk.gnome.co.uk (gnome.gw.cerbernet.co.uk [193.243.224.22]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA20462 for ; Thu, 25 Sep 1997 07:54:48 -0700 (PDT) Received: from hawk.gnome.co.uk (localhost [127.0.0.1]) by hawk.gnome.co.uk (8.8.7/8.8.7) with ESMTP id PAA06399 for ; Thu, 25 Sep 1997 15:54:25 +0100 (BST) Message-Id: <199709251454.PAA06399@hawk.gnome.co.uk> X-Mailer: exmh version 2.0zeta 7/24/97 To: security@freebsd.org Subject: rc.firewall weakness? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 Sep 1997 15:54:25 +0100 From: Chris Stenton Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I have just been looking at the latest rc.firewall for 2.2.2-stable and it appears to me that it is somewhat weak. As far as I can see the following rules:- # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 allows anyone from outside to connect to any udp port and get a reply if they can get their hacking prog to connect from port 53 or 123 on their own machine? The whole area of UDP as far as I can see is difficult to administer under ipfw. What I feel is required is "dynamic packet filtering" on UDP connections so that ipfw remembers the outgoing UDP packets it has seen. It can then let in corresponding packets from the host and port that has been sent to. This I think is the case for products from Morning Star et. al. Just my thoughts ... no flames required if I am totally wrong:-) Chris