From owner-freebsd-security Fri Dec 3 8:55:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 45CF515032; Fri, 3 Dec 1999 08:55:39 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id JAA28645; Fri, 3 Dec 1999 09:54:01 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id JAA11157; Fri, 3 Dec 1999 09:53:59 -0700 Date: Fri, 3 Dec 1999 09:53:59 -0700 Message-Id: <199912031653.JAA11157@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Adam Laurie Cc: Nate Williams , "Rodney W. Grimes" , John Baldwin , freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited In-Reply-To: <3847F47B.834A27AE@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk> <199912031600.JAA10966@mt.sri.com> <3847F47B.834A27AE@algroup.co.uk> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > This simply stops traffic that's pretending to be your internal network > > > coming in from the outside, and vice versa. It does not help with other > > > networks being spoofed. > > > > True, but neither did the rules you (?) proposed previously. The rules > > Rod listed limited the packets to come/go *only* from the internal DNS > > server on the network, so in no way makes it any worse that what was > > proposed, and only makes it better. However, they require more > > knowledge of the external IP address of the box as well as the external > > interface, along with the internal IP addresses. > > I disagree. My rule blocks traffic to UDP ports that are required to be > protected, regardless of where they come from. Rod's rules allow the > name server to connect to ANY UDP port. That is the problem. You mis-read them, read them again. ipfw add X pass udp from any to ${dnsserver} 53 ipfw add X+1 pass udp from ${dnsserver} 53 to any ipfw add X+2 deny log udp from any to any 53 ipfw add X+3 dney log udp from any 53 to any The DNS server is only allowed to send packets *from* port 53 to any port (which it must because the request comes from random ports). As long as we don't allow 'spoofed' traffic to appear to be coming from $dnsserver, this is a very safe set of rules (although incomplete, as Rod points out). Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message