From owner-freebsd-security  Mon May  8  4:23:22 2000
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hub.freebsd.org (Postfix) with ESMTP id B677537C37E
	for <freebsd-security@FreeBSD.ORG>; Mon,  8 May 2000 04:22:59 -0700 (PDT)
	(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id JAA03564; Mon, 8 May 2000 09:37:22 GMT
Message-ID: <39168AD1.FD8BAC38@algroup.co.uk>
Date: Mon, 08 May 2000 10:37:21 +0100
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Mark Murray <mark@grondar.za>
Cc: Marc Silver <marcs@draenor.org>, freebsd-security@FreeBSD.ORG
Subject: Re: Firewall Rules
References: <20000505080928.Q80532@draenor.org> <200005071311.PAA18519@grimreaper.grondar.za>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Mark Murray wrote:

> > $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0
> > $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0
> > $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0
> > $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0
> 
> You want to allow DNS, and this will do it, but it will allow an
> attacker to attack you by setting his source (ephemeral) port
> to 53. Just be aware of this; there is probably not much you can
> do with ipfw - you need a firewall that can hold UDP state.

this works with ipfw:

    # block low port incoming UDP but allow outgoing and replies for
DNS, NTP
    # (and anything else that needs it).
    $fwcmd add pass udp from any to any 53,123
    $fwcmd add deny udp from any to any 0-1023,1110,2049
    $fwcmd add pass udp from any to any

1110 & 2049 are blocked to protect NFS - you will need to block any
other high ports that you have real services running on.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message