From owner-freebsd-security  Thu Sep 25 09:20:53 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id JAA25574
          for security-outgoing; Thu, 25 Sep 1997 09:20:53 -0700 (PDT)
Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA25564
          for <security@freebsd.org>; Thu, 25 Sep 1997 09:20:46 -0700 (PDT)
Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id KAA10285;
	Thu, 25 Sep 1997 10:20:38 -0600 (MDT)
Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id KAA18291; Thu, 25 Sep 1997 10:20:37 -0600 (MDT)
Date: Thu, 25 Sep 1997 10:20:37 -0600 (MDT)
Message-Id: <199709251620.KAA18291@rocky.mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Chris Stenton <jacs@gnome.co.uk>
Cc: security@freebsd.org
Subject: Re: rc.firewall weakness?
In-Reply-To: <199709251454.PAA06399@hawk.gnome.co.uk>
References: <199709251454.PAA06399@hawk.gnome.co.uk>
X-Mailer: VM 6.29 under 19.15 XEmacs Lucid
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> I have just been looking at the latest rc.firewall for 2.2.2-stable
> and it appears to me that it is somewhat weak. As far as I can see
> the following rules:-
> 
>     # Allow DNS queries out in the world
>     $fwcmd add pass udp from any 53 to ${oip}
>     $fwcmd add pass udp from ${oip} to any 53
> 
>     # Allow NTP queries out in the world
>     $fwcmd add pass udp from any 123 to ${oip}
>     $fwcmd add pass udp from ${oip} to any 123
> 
> allows anyone from outside to connect to any udp port and get a reply if they
> can get their hacking prog to connect from port 53 or 123 on their own machine?
> 

Yes, that is true.  This is also the case with TCP ports that have
similar rulesets, most notably FTP-DATA.


> The whole area of UDP as far as I can see is difficult to administer
> under ipfw. What I feel is required is "dynamic packet filtering" on
> UDP connections so that ipfw remembers the outgoing UDP packets it has
> seen.

I think the above solution is adequate, so both the source/destination
port are the same.

> It can then let in corresponding packets from the host and port
> that has been sent to. This I think is the case for products from
> Morning Star et. al.

It wasn't that way when I first used MorningStar, but that was a couple
of years ago.


Nate