From owner-freebsd-security Fri Dec 3 3:44:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id DA40615112; Fri, 3 Dec 1999 03:44:22 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id LAA08257; Fri, 3 Dec 1999 11:42:54 GMT Message-ID: <3847ACBE.3D66A556@algroup.co.uk> Date: Fri, 03 Dec 1999 11:42:54 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: "Rodney W. Grimes" , John Baldwin , freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams wrote: > > > > ipfw add X pass udp from any to ${dnsserver} 53 > > > ipfw add X+1 pass udp from ${dnsserver} 53 to any > > > ipfw add X+2 deny log udp from any to any 53 > > > ipfw add X+3 dney log udp from any 53 to any > > > > This breaks one of the basic rules of firewalling... Trusting traffic > > based on source address. To quote from the ipfw manual: > > > > Note that may be dangerous to filter on the source IP address or > > source > > TCP/UDP port because either or both could easily be spoofed. > > > > You've just let anyone that can spoof you DNS's source address onto any > > UDP port. > > No he didn't, because you have spoofing rules in place *way* before > these rules are in place. Now you're defending Rod who states that to > have a good firewall, you need a lot more information about the internal > network and services provided than can be produced generically. If only life were that simple. I assume the rule you're reffering to is: # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} This simply stops traffic that's pretending to be your internal network coming in from the outside, and vice versa. It does not help with other networks being spoofed. > > However, I think what you're proposing is better than what exists, so > gofer it! Unfortunately I'm not in that position... I am merely suggesting some fixes to the powers that be... If I ever get in touch with the person that can actually make the changes, I have some further enhancements I'd like to offer (a new section for a single pc, and moving most of the variables like IP addresses out into rc.conf where they belong). The bottom line is that if you're going to provide out-of-box firewall rules, then they should be set up to protect the out-of-box configuration. That shouldn't be too hard. Obviously, if the user then starts adding their own services, they need to worry about their own rules a bit more. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message