From owner-freebsd-security  Fri Dec  3 10: 5:57 1999
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0F65C1502C; Fri,  3 Dec 1999 10:05:49 -0800 (PST)
	(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id SAA25620; Fri, 3 Dec 1999 18:04:15 GMT
Message-ID: <38480623.518D798D@algroup.co.uk>
Date: Fri, 03 Dec 1999 18:04:19 +0000
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc: Nate Williams <nate@mt.sri.com>, John Baldwin <jhb@FreeBSD.ORG>,
	freebsd-security@FreeBSD.ORG
Subject: Re: rc.firewall revisited
References: <199912031748.JAA77378@gndrsh.dnsmgr.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Rodney W. Grimes" wrote:
> 
> > Nate Williams wrote:
> >
> > > >
> > > > And, of course, it also means you are wide open to attack from a
> > > > compromised name server. I do not want to trust hosts. I want to trust
> > > > specific connections to specific services.
> > >
> > > How do you propose to stop a compromised name server from giving out
> > > bogus information using a firewall rule?  I'm curious...
> >
> > Please re-read my statement. Who said anything about bogus information?
> > I'm talking about connecting to UDP ports (like NFS) that you're not
> > supposed to be able to connect to. Since his rule passes UDP that is
> > sourced from port 53 on the nameserver to ANY UDP port on ANY machine,
> > you are wide open to *attack*, not misinformation. At some point, your
> > chain of name servers has to talk to the outside world, so this means
> > the machine that does the final relay is open to attack from the outside
> > world.
> 
> Some one hand Adam a pair of wire cutters, that is the only way he is
> going to get the firewall he wants.

No, that is precicely my point. My set of rules allows DNS, but blocks
attacks. Just try it!

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message