From owner-freebsd-security Mon Nov 1 7:17:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 0C94115085 for ; Mon, 1 Nov 1999 07:16:59 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id PAA02383 for ; Mon, 1 Nov 1999 15:16:58 GMT Message-ID: <381DAEE9.75C2EDA5@algroup.co.uk> Date: Mon, 01 Nov 1999 15:16:57 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.07 [en] (Win95; I) MIME-Version: 1.0 To: Group Paranoia Subject: hole(s) in default rc.firewall rules Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org *, It seems to me that the following rules (and multiple variations) provide a Great Big Hole(tm) through ipfw into your UDP services... # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${ip} $fwcmd add pass udp from ${ip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${ip} $fwcmd add pass udp from ${ip} to any 123 By setting their source port to 53 or 123, an attacker can bypass your firewall and connect to any UDP listener. I propose the following alternative: # Block low port incoming UDP (and NFS) but allow replies for DNS, NTP # and all other high ports. Allow outgoing UDP. $fwcmd add pass udp from any to ${ip} 123 $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 $fwcmd add pass udp from any to any cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message