Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 3 Dec 1999 09:53:59 -0700
From:      Nate Williams <nate@mt.sri.com>
To:        Adam Laurie <adam@algroup.co.uk>
Cc:        Nate Williams <nate@mt.sri.com>, "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG
Subject:   Re: rc.firewall revisited
Message-ID:  <199912031653.JAA11157@mt.sri.com>
In-Reply-To: <3847F47B.834A27AE@algroup.co.uk>
References:  <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk> <199912031600.JAA10966@mt.sri.com> <3847F47B.834A27AE@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 

> > > This simply stops traffic that's pretending to be your internal network
> > > coming in from the outside, and vice versa. It does not help with other
> > > networks being spoofed.
> > 
> > True, but neither did the rules you (?) proposed previously.  The rules
> > Rod listed limited the packets to come/go *only* from the internal DNS
> > server on the network, so in no way makes it any worse that what was
> > proposed, and only makes it better.  However, they require more
> > knowledge of the external IP address of the box as well as the external
> > interface, along with the internal IP addresses.
> 
> I disagree. My rule blocks traffic to UDP ports that are required to be
> protected, regardless of where they come from. Rod's rules allow the
> name server to connect to ANY UDP port. That is the problem.

You mis-read them, read them again.

ipfw add X pass udp from any to ${dnsserver} 53 
ipfw add X+1 pass udp from ${dnsserver} 53 to any 
ipfw add X+2 deny log udp from any to any 53 
ipfw add X+3 dney log udp from any 53 to any 

The DNS server is only allowed to send packets *from* port 53 to any
port (which it must because the request comes from random ports).

As long as we don't allow 'spoofed' traffic to appear to be coming from
$dnsserver, this is a very safe set of rules (although incomplete, as
Rod points out).



Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912031653.JAA11157>