Date: Sun, 7 May 2000 10:15:48 -0400 From: Tom Legg <tjlegg@shore.net> To: Mark Murray <mark@grondar.za>, Marc Silver <marcs@draenor.org> Cc: freebsd-security@freebsd.org Subject: Re: Firewall Rules Message-ID: <p04310102b53b25beb504@[207.244.92.51]> In-Reply-To: <200005071311.PAA18519@grimreaper.grondar.za> References: <20000505080928.Q80532@draenor.org> <200005071311.PAA18519@grimreaper.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
At 3:11 PM +0200 5/7/2000, Mark Murray wrote: > > $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 >> $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 >> $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 >> $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 > >You want to allow DNS, and this will do it, but it will allow an >attacker to attack you by setting his source (ephemeral) port >to 53. Just be aware of this; there is probably not much you can >do with ipfw - you need a firewall that can hold UDP state. > True. So delete the second and fourth lines to eliminate the duplicates. Then my first fix would be for the second line receiving dns replies. $fwcmd add allow udp from x.x.x.x 53 to any 1024-65535 in recv tun0 This at least removes probing of the privileged ports from a remote port 53. Of course you should check to see if you have any services running on unprivileged ports (databases or back orifice and the like are good examples) and deny external access to the ports that those services are listening on as well. But if you are up for it, you might want to set up a simple DNS server on the machine running ipfw, insert your ISPs DNS servers in to the userland ppp.conf or in to /etc/resolv.conf, then point your internal machines to use the DNS off of the internal interface of the ipfw machine and tighten the above rule to be $fwcmd add allow udp from x.x.x.x. 53 to ${oif} 1024-65535 in recv tun0 (${oif} is the outside interface, in this case tun0) Now I've never played around with NAT , but with the original set of rules wouldn't you still need a line in the ipfw rules to xmit the incoming DNS responses via the inside interface? Or does NAT sort of bypass the interface restrictions of ipfw? >-- >Mark Murray >Join the anti-SPAM movement: http://www.cauce.org > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- ----- Tom Legg tjlegg@shore.net http://www.shore.net/~tjlegg/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p04310102b53b25beb504>