Date: Thu, 30 Nov 2000 16:39:37 +0200 From: Peter Pentchev <roam@orbitel.bg> To: Adam Laurie <adam@algroup.co.uk> Cc: "Roberto Samarone Araujo (RSA)" <sama@supridad.com.br>, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Firewall - Help please Message-ID: <20001130163937.D9269@ringworld.oblivion.bg> In-Reply-To: <3A26643D.E0CCD8FD@algroup.co.uk>; from adam@algroup.co.uk on Thu, Nov 30, 2000 at 02:29:17PM %2B0000 References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 30, 2000 at 02:29:17PM +0000, Adam Laurie wrote: [snip] > > > > > ## Allow DNS queries out in the world > > > $fw add pass udp from any 53 to $ip > > > $fw add pass udp from $ip to any > > > ## Allow DNS access to my DNS > > > $fw add pass tcp from any to $ip 53 setup > > > > If you are running a nameserver and you want to allow the world to query > > your server, then you should allow UDP queries to port 53, not just TCP. > > <yet again> > even if you're not, you don't want to allow any traffic based on source > port (see "## Allow DNS queries out in the world" rule). > </yet again> Much too true.. indeed, for those who haven't seen it the first few thousand times, there are numerous telnet- and netcat-like utilities, that are able to connect to previously installed backdoors, sending TCP or UDP packets with a specified source port. The above-pasted firewall config will happily let those in, assuming they are DNS replies. The only way to get around this is with a stateful firewall - allowing UDP-source-port-53 traffic only after an outgoing UDP packet to that host's port 53. G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001130163937.D9269>