Date: Thu, 25 Sep 1997 15:54:25 +0100 From: Chris Stenton <jacs@gnome.co.uk> To: security@freebsd.org Subject: rc.firewall weakness? Message-ID: <199709251454.PAA06399@hawk.gnome.co.uk>
next in thread | raw e-mail | index | archive | help
I have just been looking at the latest rc.firewall for 2.2.2-stable
and it appears to me that it is somewhat weak. As far as I can see
the following rules:-
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
allows anyone from outside to connect to any udp port and get a reply if they
can get their hacking prog to connect from port 53 or 123 on their own machine?
The whole area of UDP as far as I can see is difficult to administer under
ipfw. What I feel is required is "dynamic packet filtering" on UDP connections
so that ipfw remembers the outgoing UDP packets it has seen. It can then let in
corresponding packets from the host and port that has been sent to. This
I think is the case for products from Morning Star et. al.
Just my thoughts ... no flames required if I am totally wrong:-)
Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709251454.PAA06399>