Date: Fri, 03 Dec 1999 18:04:19 +0000 From: Adam Laurie <adam@algroup.co.uk> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: Nate Williams <nate@mt.sri.com>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <38480623.518D798D@algroup.co.uk> References: <199912031748.JAA77378@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" wrote: > > > Nate Williams wrote: > > > > > > > > > > And, of course, it also means you are wide open to attack from a > > > > compromised name server. I do not want to trust hosts. I want to trust > > > > specific connections to specific services. > > > > > > How do you propose to stop a compromised name server from giving out > > > bogus information using a firewall rule? I'm curious... > > > > Please re-read my statement. Who said anything about bogus information? > > I'm talking about connecting to UDP ports (like NFS) that you're not > > supposed to be able to connect to. Since his rule passes UDP that is > > sourced from port 53 on the nameserver to ANY UDP port on ANY machine, > > you are wide open to *attack*, not misinformation. At some point, your > > chain of name servers has to talk to the outside world, so this means > > the machine that does the final relay is open to attack from the outside > > world. > > Some one hand Adam a pair of wire cutters, that is the only way he is > going to get the firewall he wants. No, that is precicely my point. My set of rules allows DNS, but blocks attacks. Just try it! cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38480623.518D798D>