From owner-freebsd-questions@FreeBSD.ORG Tue Jul 13 06:15:48 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A791516A4CE for ; Tue, 13 Jul 2004 06:15:48 +0000 (GMT) Received: from sdf.lonestar.org (ol.freeshell.org [192.94.73.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C83343D39 for ; Tue, 13 Jul 2004 06:15:48 +0000 (GMT) (envelope-from lukas@sdf.lonestar.org) Received: from sdf.lonestar.org (IDENT:lukas@mx.freeshell.org [192.94.73.21]) by sdf.lonestar.org (8.12.10/8.12.10) with ESMTP id i6D6FkCB001518 for ; Tue, 13 Jul 2004 06:15:46 GMT Received: (from lukas@localhost) by sdf.lonestar.org (8.12.10/8.12.8/Submit) id i6D6Fkro007443; Mon, 12 Jul 2004 23:15:46 -0700 (PDT) Date: Mon, 12 Jul 2004 23:15:45 -0700 (PDT) From: Luke X-X-Sender: lukas@mx.freeshell.org To: freebsd-questions@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Is this a safe ipfilter rule? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: LukeD@pobox.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jul 2004 06:15:48 -0000 I'm using some rules like the following to allow unrestricted udp traffic across my firewall between my system and a set of specific ports on specific domain name servers. This is the scariest of these rules: pass in quick proto udp from ip.of.remote.DNS/32 port = 53 to any Is this safe? According to everything I've read, it's best to have a stateful firewall. The examples I've seen do something like: pass out quick proto udp from my.internal.address.range to any keep state DNS queries match this rule and add an entry to the state table so that the local machine can get the reply back from the DNS without requiring any "pass in" rules. However, I have a problem with that. I believe (and I'm gathering proof right now) that I'm running some heavy-duty filesharing applications that are causing ipfilter's state table to fill up. When this happens, I believe DNS queries choke if stateful rules are used. "named" goes into a frenzy of logging "sysquery: no addrs found for root NS (H.ROOT-SERVERS.NET)" and proceeds to run the alphabet on the ROOT-SERVERS-NET failing on all of them several times per second, presumably because the state table is full. /var/log/messages quickly grows to huge sizes, and a denial-of-service situation occurs. I may be wrong about some of this. It's a theory I'm trying to prove to explain why named goes crazy when my system is under the stress of heavy filesharing. So, to keep named happy and prove my theory one way or the other, I'd like to pass all DNS traffic through the firewall without making entries in the state table. I'm trying to accomplish this by setting up rules that are as specific as I can be about exactly which IP addresses and ports I want to allow free udp communication with, but is this safe? How difficult would it be for someone to forge packets that could get past this rule, and if they did, what damage could they do with udp?