Date: Thu, 30 Nov 2000 16:01:22 -0800 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Peter Pentchev <roam@orbitel.bg>, Adam Laurie <adam@algroup.co.uk> Cc: "Roberto Samarone Araujo (RSA)" <sama@supridad.com.br>, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Firewall - Help please Message-ID: <200012010001.QAA01418@salsa.gv.tsc.tdk.com> In-Reply-To: <20001130163937.D9269@ringworld.oblivion.bg> References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> <20001130163937.D9269@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 30, 4:39pm, Peter Pentchev wrote: } Subject: Re: FreeBSD Firewall - Help please } Much too true.. indeed, for those who haven't seen it the first few } thousand times, there are numerous telnet- and netcat-like utilities, } that are able to connect to previously installed backdoors, sending } TCP or UDP packets with a specified source port. The above-pasted } firewall config will happily let those in, assuming they are DNS replies. } } The only way to get around this is with a stateful firewall - allowing } UDP-source-port-53 traffic only after an outgoing UDP packet to that } host's port 53. ... or run named and only allow responses to go to its query-source port. The disadvantage of this is that you can't debug DNS problems by pointing dig at other name servers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012010001.QAA01418>