Date: Fri, 3 Dec 1999 09:00:35 -0700 From: Nate Williams <nate@mt.sri.com> To: Adam Laurie <adam@algroup.co.uk> Cc: Nate Williams <nate@mt.sri.com>, "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <199912031600.JAA10966@mt.sri.com> In-Reply-To: <3847ACBE.3D66A556@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > ipfw add X pass udp from any to ${dnsserver} 53 > > > > ipfw add X+1 pass udp from ${dnsserver} 53 to any > > > > ipfw add X+2 deny log udp from any to any 53 > > > > ipfw add X+3 dney log udp from any 53 to any > > > > > > This breaks one of the basic rules of firewalling... Trusting traffic > > > based on source address. To quote from the ipfw manual: > > > > > > Note that may be dangerous to filter on the source IP address or > > > source > > > TCP/UDP port because either or both could easily be spoofed. > > > > > > You've just let anyone that can spoof you DNS's source address onto any > > > UDP port. > > > > No he didn't, because you have spoofing rules in place *way* before > > these rules are in place. Now you're defending Rod who states that to > > have a good firewall, you need a lot more information about the internal > > network and services provided than can be produced generically. > > If only life were that simple. I assume the rule you're reffering to is: > > # Stop spoofing > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} > > This simply stops traffic that's pretending to be your internal network > coming in from the outside, and vice versa. It does not help with other > networks being spoofed. True, but neither did the rules you (?) proposed previously. The rules Rod listed limited the packets to come/go *only* from the internal DNS server on the network, so in no way makes it any worse that what was proposed, and only makes it better. However, they require more knowledge of the external IP address of the box as well as the external interface, along with the internal IP addresses. > The bottom line is that if you're going to provide out-of-box firewall > rules, then they should be set up to protect the out-of-box > configuration. I don't believe you can do a great job of that, but we can do a better job than what we're currently doing. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912031600.JAA10966>