From owner-freebsd-security  Mon Nov  1  7:37:59 1999
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hub.freebsd.org (Postfix) with ESMTP id 1B87414FD8
	for <security@FreeBSD.ORG>; Mon,  1 Nov 1999 07:37:55 -0800 (PST)
	(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id PAA03288; Mon, 1 Nov 1999 15:37:23 GMT
Message-ID: <381DB3B2.10002A43@algroup.co.uk>
Date: Mon, 01 Nov 1999 15:37:22 +0000
From: Adam Laurie <adam@algroup.co.uk>
Organization: A.L. Group plc
X-Mailer: Mozilla 4.07 [en] (Win95; I)
MIME-Version: 1.0
To: sthaug@nethelp.no
Cc: security@FreeBSD.ORG
Subject: Re: hole(s) in default rc.firewall rules
References: <381DAEE9.75C2EDA5@algroup.co.uk> <46576.941469757@verdi.nethelp.no>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

sthaug@nethelp.no wrote:
> 
> > By setting their source port to 53 or 123, an attacker can bypass your
> > firewall and connect to any UDP listener.
> >
> > I propose the following alternative:
> >
> >     # Block low port incoming UDP (and NFS) but allow replies for DNS,
> > NTP
> >     # and all other high ports. Allow outgoing UDP.
> >     $fwcmd add pass udp from any to ${ip} 123
> >     $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
> >     $fwcmd add pass udp from any to any
> 
> If you block incoming UDP traffic with source port 53, you have very
> effectively blocked answers from all name servers outside your firewall.
> Is that what you want to do?

No, and it doesn't. I'm not blocking anything based on source port. I'm
blocking UDP traffic to any low port. DNS replies come in on high ports
(at least this is true on the half dozen or so boxes that I've
implemented this on, whether they are NAT/firewall boxes, or stand alone
PCs). NTP, on the other hand, comes in on 123, which is why I've
specifically allowed it.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message