From owner-freebsd-security  Thu Nov 30 16: 4:13 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 2673B37B400
	for <freebsd-security@FreeBSD.ORG>; Thu, 30 Nov 2000 16:04:11 -0800 (PST)
Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id QAA26262;
	Thu, 30 Nov 2000 16:01:23 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id QAA52048;
	Thu, 30 Nov 2000 16:01:22 -0800 (PST)
	(envelope-from Don.Lewis@tsc.tdk.com)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA01418;
	Thu, 30 Nov 2000 16:01:22 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <200012010001.QAA01418@salsa.gv.tsc.tdk.com>
Date: Thu, 30 Nov 2000 16:01:22 -0800
In-Reply-To: <20001130163937.D9269@ringworld.oblivion.bg>
References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> <20001130163937.D9269@ringworld.oblivion.bg>
X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98)
To: Peter Pentchev <roam@orbitel.bg>,
	Adam Laurie <adam@algroup.co.uk>
Subject: Re: FreeBSD Firewall - Help please
Cc: "Roberto Samarone Araujo (RSA)" <sama@supridad.com.br>,
	freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Nov 30,  4:39pm, Peter Pentchev wrote:
} Subject: Re: FreeBSD Firewall - Help please

} Much too true..  indeed, for those who haven't seen it the first few
} thousand times, there are numerous telnet- and netcat-like utilities,
} that are able to connect to previously installed backdoors, sending
} TCP or UDP packets with a specified source port.  The above-pasted
} firewall config will happily let those in, assuming they are DNS replies.
} 
} The only way to get around this is with a stateful firewall - allowing
} UDP-source-port-53 traffic only after an outgoing UDP packet to that
} host's port 53.

... or run named and only allow responses to go to its query-source port.
The disadvantage of this is that you can't debug DNS problems by pointing
dig at other name servers.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message