From owner-freebsd-arch Tue Feb 19 8:41:12 2002 Delivered-To: freebsd-arch@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 3C3BB37B402; Tue, 19 Feb 2002 08:40:39 -0800 (PST) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g1JGe4D02855; Tue, 19 Feb 2002 11:40:04 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 19 Feb 2002 11:40:03 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Alexey Dokuchaev Cc: arch@freebsd.org, ipfw@freebsd.org Subject: Re: Improvements to ipfw code (followup) In-Reply-To: <20020219165630.A62749@cytherea.weblab.nsu.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Just as a slight follow-up I should have included in my earlier e-mail: the merging of ucred and pcred should make this patch now be able to support real and saved uids/gids as well as effective uids/gids, meaning that it can be used to also restrict setuid applications such as ping. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Tue, 19 Feb 2002, Alexey Dokuchaev wrote: > Hello, > > Back in 1997, an email was sent to hackers@ about some substantial firewall code improvements, > along with a patch, by Julian Assange . A PR (misc/2386) was then > filled, but marked 'closed' shortly after submission due to 'Misfiled PR' reason. It seems to > never raise any interest afterwards, despite the fact that this work definitely worth considering. > > I will forward original mail at the end for those who's interested. My particular interest in > this comes from a fact that uid/gid-based IPFW filtering only works for outgoing connections, > which is a neat thing of course. However, to be able to provide any service, I need to allow > incoming connections as well, and this is where I got somewhat disappointed: I cannot control > who's bind()'ing to whatever port (if outside setup connections are allowed), and if, say, for > whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user process can issue bind() > to the [freed] unprivileged port. One might say this is not a big deal, since servers tend to > restart themselves in case of any failure, however, for example, FTP passive mode requires setup > connections allowed in certain port range, and I really want only ftp user to be able to bind() > to those ports. At present, there is no way in IPFW to open ports for specific user/group only, > while Julian's patch seems to solve the problem. > > Time to revise this stuff again? :-) > > The URL Julian gives in his email is no longer valid, but his patches are in PR misc/2386, and > also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff. > > Sincerely, > Alexey Dokuchaev > > ------ Forwarded message ------ > Date: Tue, 7 Jan 1997 07:01:16 +1100 (EST) > From: proff@suburbia.net > To: hackers@freebsd.org, security@freebsd.org > Subject: new firewall code [uid/gid/bind() etc] > Message-ID: <19970106200116.16168.qmail@suburbia.net> > > I tried posting the patches but, at 55k, it seems majordumbo has > (silently) rejected them. You may find them at: > > ftp://suburbia.net/tmp/ipfw.diff > > My "socket credentials" patches allow you to: > > punch wormholes, or restrict access to the IPPORT_RESERVED space, or > restrict access to bind() altogether based on: > > (a) uid > (b) gid (including secondary groups) > (c) port > (d) protocol > (e) interface > > And more importantly: > > Restrict access to packets being sent/received on any socket based on: > > (a) the packet (per normal ipfw rules) > (b) uid > (c) gid (including secondary groups) > > The former permits constructs like: > > /* let uid sendmail bind to port 25 */ > # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind > > /* only let inetd bind - we presume inetd still needs to run as root > for uid switching when forking off clients */ > > # addgroup inetd > # chgrp inetd /usr/sbin/inetd > # chmod 2700 /usr/sbin/inetd > # killall inetd > # ipfw add accept all from any to any bind gid inetd uid root > # /* default policy is to deny bind */ > > /* keep those without security clearance out of secret network */ > # ipfw add accept all from any to any via ed0 gid secret > # ipfw add deny all from any to any via ed0 gid any > > Loging has also been enhanced: > > # ipfw add 60000 accept log all from any to any bind > /* example of named starting up */ > > ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind > > Cheers, > Julian > > ------ End of forwarded message ------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-arch" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message