From owner-freebsd-security  Tue Jul 21 05:27:57 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA10114
          for freebsd-security-outgoing; Tue, 21 Jul 1998 05:27:57 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns.cityip.co.za (ns.cityip.co.za [196.25.223.140])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA10006
          for <security@freebsd.org>; Tue, 21 Jul 1998 05:26:52 -0700 (PDT)
          (envelope-from wjv@cityip.co.za)
Received: from wjv by ns.cityip.co.za with local (Exim 1.82 #2)
	id 0yybTP-00018j-00; Tue, 21 Jul 1998 14:24:51 +0200
Message-ID: <19980721142451.A4361@cityip.co.za>
Date: Tue, 21 Jul 1998 14:24:51 +0200
From: Johann Visagie <wjv@cityip.co.za>
To: Philippe Regnauld <regnauld@deepo.prosa.dk>
Cc: security@FreeBSD.ORG
Subject: Re: ipfw & icmp question
References: <19980530234807.14632@deepo.prosa.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1i
In-Reply-To: <19980530234807.14632@deepo.prosa.dk>; from Philippe Regnauld on Sat, May 30, 1998 at 11:48:08PM +0200
X-PGP: ftp://ftp.cityip.co.za/users/wjv/pubkey.asc
X-URL: http://www.cityip.co.za/~wjv/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 30 May 1998 at 23:48 SAT, Philippe Regnauld wrote:
> 
> I am a bit puzzled regarding the following situation:
> 
> I have a machine with IPFW setup to send "port unreachable" if
> a connection attempt is made on port 113/TCP (identd).  The policy
> is default deny.  Here is what happens when I do "telnet host 113"

Sorry, can't help you with that one.  I just allow queries to 113/tcp and
make sure there's nothing running on the port.  *shrug*

> PS: in the /etc/rc.firewall (2.2.6 still), one rule says
> for the "Simple firewall setup":
> 
>  # Allow DNS queries out in the world
>  /sbin/ipfw add pass udp from any 53 to ${oip}
>  /sbin/ipfw add pass udp from ${oip} to any 53
> 
> This is a but confusing -- from reading the rules, I understand:
> 
> "Allow DNS queries, from out in the world, to us", while
> the formulation above says "Allow DNS queries from inside/here
> out into the world".

Nope, your resolver library will originate the query on an arbitrary port
greater than 1023, and connect to 53/udp on the remote nameserver.  The
remote nameserver returns the replay from its port 53 to your arbitrary port.
The above rules allows _your_ host to query a remote host, as the comment
indicates.  To enable it the other way round:

  /sbin/ipfw add pass udp from ${oip} 53 to any
  /sbin/ipfw add pass udp from any to ${oip} 53

However, it may not be necessary to add the above rules, since most resolver
libraries will try to query via TCP if UDP failes, i.e. you can simply add:

  /sbin/ipfw add pass tcp from any to ${oip} 53 setup

(Assuming you allow already established connections by default elsewhere.)

-- V

Johann Visagie | Email: wjv@CityIP.co.za | Tel: +27 21 419-7878

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message