From owner-freebsd-security Thu Nov 30 6:40:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool73-tch-1.Sofia.0rbitel.net [212.95.170.73]) by hub.freebsd.org (Postfix) with SMTP id DCD4437B400 for ; Thu, 30 Nov 2000 06:40:14 -0800 (PST) Received: (qmail 15986 invoked by uid 1000); 30 Nov 2000 14:39:37 -0000 Date: Thu, 30 Nov 2000 16:39:37 +0200 From: Peter Pentchev To: Adam Laurie Cc: "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Firewall - Help please Message-ID: <20001130163937.D9269@ringworld.oblivion.bg> Mail-Followup-To: Adam Laurie , "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A26643D.E0CCD8FD@algroup.co.uk>; from adam@algroup.co.uk on Thu, Nov 30, 2000 at 02:29:17PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 30, 2000 at 02:29:17PM +0000, Adam Laurie wrote: [snip] > > > > > ## Allow DNS queries out in the world > > > $fw add pass udp from any 53 to $ip > > > $fw add pass udp from $ip to any > > > ## Allow DNS access to my DNS > > > $fw add pass tcp from any to $ip 53 setup > > > > If you are running a nameserver and you want to allow the world to query > > your server, then you should allow UDP queries to port 53, not just TCP. > > > even if you're not, you don't want to allow any traffic based on source > port (see "## Allow DNS queries out in the world" rule). > Much too true.. indeed, for those who haven't seen it the first few thousand times, there are numerous telnet- and netcat-like utilities, that are able to connect to previously installed backdoors, sending TCP or UDP packets with a specified source port. The above-pasted firewall config will happily let those in, assuming they are DNS replies. The only way to get around this is with a stateful firewall - allowing UDP-source-port-53 traffic only after an outgoing UDP packet to that host's port 53. G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message