Date: Mon, 08 May 2000 10:37:21 +0100 From: Adam Laurie <adam@algroup.co.uk> To: Mark Murray <mark@grondar.za> Cc: Marc Silver <marcs@draenor.org>, freebsd-security@FreeBSD.ORG Subject: Re: Firewall Rules Message-ID: <39168AD1.FD8BAC38@algroup.co.uk> References: <20000505080928.Q80532@draenor.org> <200005071311.PAA18519@grimreaper.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote:
> > $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0
> > $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0
> > $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0
> > $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0
>
> You want to allow DNS, and this will do it, but it will allow an
> attacker to attack you by setting his source (ephemeral) port
> to 53. Just be aware of this; there is probably not much you can
> do with ipfw - you need a firewall that can hold UDP state.
this works with ipfw:
# block low port incoming UDP but allow outgoing and replies for
DNS, NTP
# (and anything else that needs it).
$fwcmd add pass udp from any to any 53,123
$fwcmd add deny udp from any to any 0-1023,1110,2049
$fwcmd add pass udp from any to any
1110 & 2049 are blocked to protect NFS - you will need to block any
other high ports that you have real services running on.
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39168AD1.FD8BAC38>