From owner-freebsd-security Thu Sep 25 17:14:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA24090 for security-outgoing; Thu, 25 Sep 1997 17:14:15 -0700 (PDT) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA24081 for ; Thu, 25 Sep 1997 17:14:11 -0700 (PDT) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id RAA10089; Thu, 25 Sep 1997 17:09:09 -0700 (PDT) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id RAA11739; Thu, 25 Sep 1997 17:09:08 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA19119; Thu, 25 Sep 1997 17:09:07 -0700 (PDT) From: Don Lewis Message-Id: <199709260009.RAA19119@salsa.gv.tsc.tdk.com> Date: Thu, 25 Sep 1997 17:09:07 -0700 In-Reply-To: Nate Williams "Re: rc.firewall weakness?" (Sep 25, 10:20am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Nate Williams , Chris Stenton Subject: Re: rc.firewall weakness? Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sep 25, 10:20am, Nate Williams wrote: } Subject: Re: rc.firewall weakness? } > I have just been looking at the latest rc.firewall for 2.2.2-stable } > and it appears to me that it is somewhat weak. As far as I can see } > the following rules:- } > } > # Allow DNS queries out in the world } > $fwcmd add pass udp from any 53 to ${oip} } > $fwcmd add pass udp from ${oip} to any 53 } > } > # Allow NTP queries out in the world } > $fwcmd add pass udp from any 123 to ${oip} } > $fwcmd add pass udp from ${oip} to any 123 } > } > allows anyone from outside to connect to any udp port and get a reply if they } > can get their hacking prog to connect from port 53 or 123 on their own machine? } > You've got it, which is why I only permit UDP 53<->53 and 123<->123. You loose the ability to point a DNS client at an external DNS server (though you can still do this safely for testing purposes if you use TCP queries), and you can't query external NTP servers. The server to server traffic for DNS and NTP still works fine. } Yes, that is true. This is also the case with TCP ports that have } similar rulesets, most notably FTP-DATA. Unless you ban that and only allow passive FTP.