Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 02 Dec 1999 17:52:10 +0000
From:      Adam Laurie <adam@algroup.co.uk>
To:        John Baldwin <jhb@FreeBSD.org>
Cc:        freebsd-security@FreeBSD.org
Subject:   Re: rc.firewall revisited
Message-ID:  <3846B1CA.21FD4270@algroup.co.uk>
References:  <199912021602.LAA37669@server.baldwin.cx>

next in thread | previous in thread | raw e-mail | index | archive | help
John Baldwin wrote:
> 
> On 02-Dec-99 Adam Laurie wrote:
> > My specific experience was that I found a hole in the default
> > rc.firewall rules. This hole means that UDP is totally unprotected
> > because of faulty rules for DNS and NTP. I posted a suggested fix to
> > the security-officer, and got an immediate reply saying "I agree
> > 100%".  The security-officer is clearly also a list, because I then
> > got another reply from someone else, telling me how to configure my
> > DNS. This degenerated into a thread related to DNS server
> > configuration and entirely missing the point regarding ipfw. I then
> > suggested moving it to the wider forum of this list, and guess
> > what...? The same thing happened! The thread diappeared in a cloud
> > of irrelevant discussion about how to set up name servers. As I
> > say, I'm currently unaware of the status of rc.firewall, but when I
> > get around to checking it, if it hasn't been fixed, you'll be
> > reading about yourselves on bugtraq again! If it has been fixed,
> > then excellent, well done, etc. etc. :)
> 
> I checked the logs, and no change has been committed.  Your proposal is
> to replace:
> 
>     # Allow DNS queries out in the world
>     $fwcmd add pass udp from any 53 to ${ip}
>     $fwcmd add pass udp from ${ip} to any 53
> 
>     # Allow NTP queries out in the world
>     $fwcmd add pass udp from any 123 to ${ip}
>     $fwcmd add pass udp from ${ip} to any 123
> 
> with:
> 
>     # Block low port incoming UDP (and NFS) but allow replies for DNS,
> NTP
>     # and all other high ports. Allow outgoing UDP.
>     $fwcmd add pass udp from any to ${ip} 123
>     $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
>     $fwcmd add pass udp from any to any
> 
> There were concerns about DNS replies to a local server.  In -current
> and -stable, BIND is 8.2.x, so queries to the outside do not originate
> from 53 by default, and so replies do not come in to port 53.  However,
> if machines inside the firewall use a DNS server on the firewall then
> you could have problems.  Perhaps this instead then:
> 
>     # Allow NTP to this machine
>     $fwcmd add pass udp from any to ${ip} 123
> 
>     # Allow DNS requests to this machine
>     $fwcmd add pass udp from any to ${ip} 53
> 
>     # Deny all other incoming requests on low ports and NFS
>     $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
> 
>     # Allow all outgoing UDP
>     $fwcmd add pass udp from any to any

OK, well this more or less matches my own current iteration, so I have
no problem with that...

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3846B1CA.21FD4270>