Date: Fri, 1 Dec 2000 13:22:57 +0200 From: Peter Pentchev <roam@orbitel.bg> To: freebsd-security@FreeBSD.org Cc: "Roberto Samarone Araujo (RSA)" <sama@supridad.com.br> Subject: Re: FreeBSD Firewall - Help please Message-ID: <20001201132257.A329@ringworld.oblivion.bg> In-Reply-To: <200012010001.QAA01418@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Thu, Nov 30, 2000 at 04:01:22PM -0800 References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> <20001130163937.D9269@ringworld.oblivion.bg> <200012010001.QAA01418@salsa.gv.tsc.tdk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 30, 2000 at 04:01:22PM -0800, Don Lewis wrote: > On Nov 30, 4:39pm, Peter Pentchev wrote: > } Subject: Re: FreeBSD Firewall - Help please > > } Much too true.. indeed, for those who haven't seen it the first few > } thousand times, there are numerous telnet- and netcat-like utilities, > } that are able to connect to previously installed backdoors, sending > } TCP or UDP packets with a specified source port. The above-pasted > } firewall config will happily let those in, assuming they are DNS replies. > } > } The only way to get around this is with a stateful firewall - allowing > } UDP-source-port-53 traffic only after an outgoing UDP packet to that > } host's port 53. > > ... or run named and only allow responses to go to its query-source port. > The disadvantage of this is that you can't debug DNS problems by pointing > dig at other name servers. ..and then there are those who do not want to run named, but instead, something like Dan J. Bernstein's dnscache (from the djbdns package), which picks a random source port for each query - and we're back to the stateful firewall :) G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001201132257.A329>