Skip site navigation (1)Skip section navigation (2)
Date:      03 Nov 1999 18:07:04 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        freebsd-security@freebsd.org
Subject:   Re: hole(s) in default rc.firewall rules
Message-ID:  <86g0yn8spj.fsf@localhost.hell.gr>
In-Reply-To: Adam Laurie's message of "Tue, 02 Nov 1999 20:33:49 %2B0000"
References:  <Pine.BSF.4.10.9911012224120.54551-100000@green.myip.org> <381F4AAD.1D8E6001@algroup.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
Adam Laurie <adam@algroup.co.uk> writes:

> And for those that don't think this is a serious issue...
> 
> Get a copy of netcat. Make sure syslogd is running in default mode (i.e.
> without "-s" option) on the target "firewalled" server. Run the
> following command on a machine outside the firewall:
> 
>   nc -u -p 53 -n [firewalled-server-ip] 514
> 
> and type some text in. Now go and tail /var/log/messages on the target
> server, and you'll see the text that has just walked through your
> firewall. I leave it as an exercise for the reader to exploit an NFS
> mount in a similar fashion...

I don't know how well this would work in a larger environment, but I
have set up my private named to forward queries to a couple of "trusted" 
name servers outside the firewall.  Then I added rules that accept only
udp packets originating from these two hosts (port 53), and the usual
"deny all from any to any" catches the rest.

Someone might also have the IP addresses of root-dns servers be
accepted as well.

Oh, and another little bit.  I have only recently brought up a small
document that describes to the freebsd-newbies of my local area some
parts of ipfw usage.  I am a newbie in freebsd myself too, therefore I
would be interested in any comments regarding this page, especially
about things that are considered 'insecure' and are recommended there.

The page is located at:

  <http://students.ceid.upatras.gr/~keramida/freebsd/ipfw.html>;

-- 
Giorgos Keramidas, <keramida@ceid.upatras.gr>
"What we have to learn to do, we learn by doing." [Aristotle]


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86g0yn8spj.fsf>