From owner-freebsd-security  Fri Dec  3  8:55:55 1999
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hub.freebsd.org (Postfix) with ESMTP
	id 15BFC15032; Fri,  3 Dec 1999 08:55:48 -0800 (PST)
	(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id QAA22450; Fri, 3 Dec 1999 16:52:48 GMT
Message-ID: <3847F55E.B546B2EB@algroup.co.uk>
Date: Fri, 03 Dec 1999 16:52:46 +0000
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Nate Williams <nate@mt.sri.com>
Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>,
	John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG
Subject: Re: rc.firewall revisited
References: <199912021954.LAA74271@gndrsh.dnsmgr.net>
		<3846FA12.F1480F19@algroup.co.uk>
		<199912022343.QAA08462@mt.sri.com>
		<3847ACBE.3D66A556@algroup.co.uk>
		<3847C0CB.2E9774A@algroup.co.uk> <199912031601.JAA10973@mt.sri.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Nate Williams wrote:

> >
> > And, of course, it also means you are wide open to attack from a
> > compromised name server. I do not want to trust hosts. I want to trust
> > specific connections to specific services.
> 
> How do you propose to stop a compromised name server from giving out
> bogus information using a firewall rule?  I'm curious...

Please re-read my statement. Who said anything about bogus information?
I'm talking about connecting to UDP ports (like NFS) that you're not
supposed to be able to connect to. Since his rule passes UDP that is
sourced from port 53 on the nameserver to ANY UDP port on ANY machine,
you are wide open to *attack*, not misinformation. At some point, your
chain of name servers has to talk to the outside world, so this means
the machine that does the final relay is open to attack from the outside
world.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message