Date: Mon, 01 Nov 1999 15:16:57 +0000 From: Adam Laurie <adam@algroup.co.uk> To: Group Paranoia <security@FreeBSD.ORG> Subject: hole(s) in default rc.firewall rules Message-ID: <381DAEE9.75C2EDA5@algroup.co.uk>
next in thread | raw e-mail | index | archive | help
*,
It seems to me that the following rules (and multiple variations)
provide a Great Big Hole(tm) through ipfw into your UDP services...
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${ip}
$fwcmd add pass udp from ${ip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${ip}
$fwcmd add pass udp from ${ip} to any 123
By setting their source port to 53 or 123, an attacker can bypass your
firewall and connect to any UDP listener.
I propose the following alternative:
# Block low port incoming UDP (and NFS) but allow replies for DNS,
NTP
# and all other high ports. Allow outgoing UDP.
$fwcmd add pass udp from any to ${ip} 123
$fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
$fwcmd add pass udp from any to any
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?381DAEE9.75C2EDA5>