Date: Thu, 25 Sep 1997 17:09:07 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Nate Williams <nate@mt.sri.com>, Chris Stenton <jacs@gnome.co.uk> Cc: security@FreeBSD.ORG Subject: Re: rc.firewall weakness? Message-ID: <199709260009.RAA19119@salsa.gv.tsc.tdk.com> In-Reply-To: Nate Williams <nate@mt.sri.com> "Re: rc.firewall weakness?" (Sep 25, 10:20am)
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 25, 10:20am, Nate Williams wrote:
} Subject: Re: rc.firewall weakness?
} > I have just been looking at the latest rc.firewall for 2.2.2-stable
} > and it appears to me that it is somewhat weak. As far as I can see
} > the following rules:-
} >
} > # Allow DNS queries out in the world
} > $fwcmd add pass udp from any 53 to ${oip}
} > $fwcmd add pass udp from ${oip} to any 53
} >
} > # Allow NTP queries out in the world
} > $fwcmd add pass udp from any 123 to ${oip}
} > $fwcmd add pass udp from ${oip} to any 123
} >
} > allows anyone from outside to connect to any udp port and get a reply if they
} > can get their hacking prog to connect from port 53 or 123 on their own machine?
} >
You've got it, which is why I only permit UDP 53<->53 and 123<->123. You
loose the ability to point a DNS client at an external DNS server (though
you can still do this safely for testing purposes if you use TCP queries),
and you can't query external NTP servers. The server to server traffic
for DNS and NTP still works fine.
} Yes, that is true. This is also the case with TCP ports that have
} similar rulesets, most notably FTP-DATA.
Unless you ban that and only allow passive FTP.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709260009.RAA19119>