From owner-freebsd-security  Thu Dec  2 15:45:15 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0416414C38; Thu,  2 Dec 1999 15:45:09 -0800 (PST)
	(envelope-from nate@mt.sri.com)
Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id QAA20378;
	Thu, 2 Dec 1999 16:43:14 -0700 (MST)
	(envelope-from nate@rocky.mt.sri.com)
Received: by mt.sri.com (SMI-8.6/SMI-SVR4)
	id QAA08462; Thu, 2 Dec 1999 16:43:12 -0700
Date: Thu, 2 Dec 1999 16:43:12 -0700
Message-Id: <199912022343.QAA08462@mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Adam Laurie <adam@algroup.co.uk>
Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>,
	John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG
Subject: Re: rc.firewall revisited
In-Reply-To: <3846FA12.F1480F19@algroup.co.uk>
References: <199912021954.LAA74271@gndrsh.dnsmgr.net>
	<3846FA12.F1480F19@algroup.co.uk>
X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid
Reply-To: nate@mt.sri.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > ipfw add X pass udp from any to ${dnsserver} 53
> > ipfw add X+1 pass udp from ${dnsserver} 53 to any
> > ipfw add X+2 deny log udp from any to any 53
> > ipfw add X+3 dney log udp from any 53 to any
> 
> This breaks one of the basic rules of firewalling... Trusting traffic
> based on source address. To quote from the ipfw manual:
> 
>      Note that may be dangerous to filter on the source IP address or
> source
>      TCP/UDP port because either or both could easily be spoofed.
> 
> You've just let anyone that can spoof you DNS's source address onto any
> UDP port.

No he didn't, because you have spoofing rules in place *way* before
these rules are in place.  Now you're defending Rod who states that to
have a good firewall, you need a lot more information about the internal
network and services provided than can be produced generically.

However, I think what you're proposing is better than what exists, so
gofer it!


Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message