Date: Thu, 02 Dec 1999 17:52:10 +0000 From: Adam Laurie <adam@algroup.co.uk> To: John Baldwin <jhb@FreeBSD.org> Cc: freebsd-security@FreeBSD.org Subject: Re: rc.firewall revisited Message-ID: <3846B1CA.21FD4270@algroup.co.uk> References: <199912021602.LAA37669@server.baldwin.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
John Baldwin wrote: > > On 02-Dec-99 Adam Laurie wrote: > > My specific experience was that I found a hole in the default > > rc.firewall rules. This hole means that UDP is totally unprotected > > because of faulty rules for DNS and NTP. I posted a suggested fix to > > the security-officer, and got an immediate reply saying "I agree > > 100%". The security-officer is clearly also a list, because I then > > got another reply from someone else, telling me how to configure my > > DNS. This degenerated into a thread related to DNS server > > configuration and entirely missing the point regarding ipfw. I then > > suggested moving it to the wider forum of this list, and guess > > what...? The same thing happened! The thread diappeared in a cloud > > of irrelevant discussion about how to set up name servers. As I > > say, I'm currently unaware of the status of rc.firewall, but when I > > get around to checking it, if it hasn't been fixed, you'll be > > reading about yourselves on bugtraq again! If it has been fixed, > > then excellent, well done, etc. etc. :) > > I checked the logs, and no change has been committed. Your proposal is > to replace: > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${ip} > $fwcmd add pass udp from ${ip} to any 53 > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${ip} > $fwcmd add pass udp from ${ip} to any 123 > > with: > > # Block low port incoming UDP (and NFS) but allow replies for DNS, > NTP > # and all other high ports. Allow outgoing UDP. > $fwcmd add pass udp from any to ${ip} 123 > $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 > $fwcmd add pass udp from any to any > > There were concerns about DNS replies to a local server. In -current > and -stable, BIND is 8.2.x, so queries to the outside do not originate > from 53 by default, and so replies do not come in to port 53. However, > if machines inside the firewall use a DNS server on the firewall then > you could have problems. Perhaps this instead then: > > # Allow NTP to this machine > $fwcmd add pass udp from any to ${ip} 123 > > # Allow DNS requests to this machine > $fwcmd add pass udp from any to ${ip} 53 > > # Deny all other incoming requests on low ports and NFS > $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 > > # Allow all outgoing UDP > $fwcmd add pass udp from any to any OK, well this more or less matches my own current iteration, so I have no problem with that... cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3846B1CA.21FD4270>