Date: Sun, 03 Jul 2005 00:05:24 -0000 From: Robert Watson <rwatson@freebsd.org> To: Alexey Dokuchaev <danfe@cytherea.weblab.nsu.ru> Cc: arch@freebsd.org, ipfw@freebsd.org Subject: Re: Improvements to ipfw code (followup) Message-ID: <Pine.NEB.3.96L.1020219113924.388H-100000@fledge.watson.org> In-Reply-To: <20020219165630.A62749@cytherea.weblab.nsu.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Just as a slight follow-up I should have included in my earlier e-mail:
the merging of ucred and pcred should make this patch now be able to
support real and saved uids/gids as well as effective uids/gids, meaning
that it can be used to also restrict setuid applications such as ping.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org NAI Labs, Safeport Network Services
On Tue, 19 Feb 2002, Alexey Dokuchaev wrote:
> Hello,
>
> Back in 1997, an email was sent to hackers@ about some substantial firewall code improvements,
> along with a patch, by Julian Assange <proff@{iq.org,suburbia.net}>. A PR (misc/2386) was then
> filled, but marked 'closed' shortly after submission due to 'Misfiled PR' reason. It seems to
> never raise any interest afterwards, despite the fact that this work definitely worth considering.
>
> I will forward original mail at the end for those who's interested. My particular interest in
> this comes from a fact that uid/gid-based IPFW filtering only works for outgoing connections,
> which is a neat thing of course. However, to be able to provide any service, I need to allow
> incoming connections as well, and this is where I got somewhat disappointed: I cannot control
> who's bind()'ing to whatever port (if outside setup connections are allowed), and if, say, for
> whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user process can issue bind()
> to the [freed] unprivileged port. One might say this is not a big deal, since servers tend to
> restart themselves in case of any failure, however, for example, FTP passive mode requires setup
> connections allowed in certain port range, and I really want only ftp user to be able to bind()
> to those ports. At present, there is no way in IPFW to open ports for specific user/group only,
> while Julian's patch seems to solve the problem.
>
> Time to revise this stuff again? :-)
>
> The URL Julian gives in his email is no longer valid, but his patches are in PR misc/2386, and
> also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff.
>
> Sincerely,
> Alexey Dokuchaev
>
> ------ Forwarded message ------
> Date: Tue, 7 Jan 1997 07:01:16 +1100 (EST)
> From: proff@suburbia.net
> To: hackers@freebsd.org, security@freebsd.org
> Subject: new firewall code [uid/gid/bind() etc]
> Message-ID: <19970106200116.16168.qmail@suburbia.net>
>
> I tried posting the patches but, at 55k, it seems majordumbo has
> (silently) rejected them. You may find them at:
>
> ftp://suburbia.net/tmp/ipfw.diff
>
> My "socket credentials" patches allow you to:
>
> punch wormholes, or restrict access to the IPPORT_RESERVED space, or
> restrict access to bind() altogether based on:
>
> (a) uid
> (b) gid (including secondary groups)
> (c) port
> (d) protocol
> (e) interface
>
> And more importantly:
>
> Restrict access to packets being sent/received on any socket based on:
>
> (a) the packet (per normal ipfw rules)
> (b) uid
> (c) gid (including secondary groups)
>
> The former permits constructs like:
>
> /* let uid sendmail bind to port 25 */
> # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind
>
> /* only let inetd bind - we presume inetd still needs to run as root
> for uid switching when forking off clients */
>
> # addgroup inetd
> # chgrp inetd /usr/sbin/inetd
> # chmod 2700 /usr/sbin/inetd
> # killall inetd
> # ipfw add accept all from any to any bind gid inetd uid root
> # /* default policy is to deny bind */
>
> /* keep those without security clearance out of secret network */
> # ipfw add accept all from any to any via ed0 gid secret
> # ipfw add deny all from any to any via ed0 gid any
>
> Loging has also been enhanced:
>
> # ipfw add 60000 accept log all from any to any bind
> /* example of named starting up */
>
> ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind
>
> Cheers,
> Julian <proff@iq.org>
>
> ------ End of forwarded message ------
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-arch" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020219113924.388H-100000>