From owner-freebsd-security Fri Dec 1 3:23:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool136-tch-1.Sofia.0rbitel.net [212.95.170.136]) by hub.freebsd.org (Postfix) with SMTP id C4CDA37B400 for ; Fri, 1 Dec 2000 03:23:45 -0800 (PST) Received: (qmail 1890 invoked by uid 1000); 1 Dec 2000 11:22:57 -0000 Date: Fri, 1 Dec 2000 13:22:57 +0200 From: Peter Pentchev To: freebsd-security@FreeBSD.org Cc: "Roberto Samarone Araujo (RSA)" Subject: Re: FreeBSD Firewall - Help please Message-ID: <20001201132257.A329@ringworld.oblivion.bg> Mail-Followup-To: freebsd-security@FreeBSD.org, "Roberto Samarone Araujo (RSA)" References: <017801c05ac5$cafd02d0$3cfdf2c8@nirvana> <20001130152521.B9269@ringworld.oblivion.bg> <3A26643D.E0CCD8FD@algroup.co.uk> <20001130163937.D9269@ringworld.oblivion.bg> <200012010001.QAA01418@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012010001.QAA01418@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Thu, Nov 30, 2000 at 04:01:22PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 30, 2000 at 04:01:22PM -0800, Don Lewis wrote: > On Nov 30, 4:39pm, Peter Pentchev wrote: > } Subject: Re: FreeBSD Firewall - Help please > > } Much too true.. indeed, for those who haven't seen it the first few > } thousand times, there are numerous telnet- and netcat-like utilities, > } that are able to connect to previously installed backdoors, sending > } TCP or UDP packets with a specified source port. The above-pasted > } firewall config will happily let those in, assuming they are DNS replies. > } > } The only way to get around this is with a stateful firewall - allowing > } UDP-source-port-53 traffic only after an outgoing UDP packet to that > } host's port 53. > > ... or run named and only allow responses to go to its query-source port. > The disadvantage of this is that you can't debug DNS problems by pointing > dig at other name servers. ..and then there are those who do not want to run named, but instead, something like Dan J. Bernstein's dnscache (from the djbdns package), which picks a random source port for each query - and we're back to the stateful firewall :) G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message