From owner-freebsd-security Mon Nov 1 7:22:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 2BD0D14FD8 for ; Mon, 1 Nov 1999 07:22:40 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 46578 invoked by uid 1001); 1 Nov 1999 15:22:37 +0000 (GMT) To: adam@algroup.co.uk Cc: security@FreeBSD.ORG Subject: Re: hole(s) in default rc.firewall rules From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 01 Nov 1999 15:16:57 +0000" References: <381DAEE9.75C2EDA5@algroup.co.uk> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 01 Nov 1999 16:22:37 +0100 Message-ID: <46576.941469757@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > By setting their source port to 53 or 123, an attacker can bypass your > firewall and connect to any UDP listener. > > I propose the following alternative: > > # Block low port incoming UDP (and NFS) but allow replies for DNS, > NTP > # and all other high ports. Allow outgoing UDP. > $fwcmd add pass udp from any to ${ip} 123 > $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 > $fwcmd add pass udp from any to any If you block incoming UDP traffic with source port 53, you have very effectively blocked answers from all name servers outside your firewall. Is that what you want to do? Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message