Date: Sun, 7 May 2000 10:15:48 -0400 From: Tom Legg <tjlegg@shore.net> To: Mark Murray <mark@grondar.za>, Marc Silver <marcs@draenor.org> Cc: freebsd-security@freebsd.org Subject: Re: Firewall Rules Message-ID: <p04310102b53b25beb504@[207.244.92.51]> In-Reply-To: <200005071311.PAA18519@grimreaper.grondar.za> References: <20000505080928.Q80532@draenor.org> <200005071311.PAA18519@grimreaper.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
At 3:11 PM +0200 5/7/2000, Mark Murray wrote:
> > $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0
>> $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0
>> $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0
>> $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0
>
>You want to allow DNS, and this will do it, but it will allow an
>attacker to attack you by setting his source (ephemeral) port
>to 53. Just be aware of this; there is probably not much you can
>do with ipfw - you need a firewall that can hold UDP state.
>
True. So delete the second and fourth lines to eliminate the
duplicates. Then my first fix would be for the second line receiving
dns replies.
$fwcmd add allow udp from x.x.x.x 53 to any 1024-65535 in recv tun0
This at least removes probing of the privileged ports from a remote
port 53. Of course you should check to see if you have any services
running on unprivileged ports (databases or back orifice and the like
are good examples) and deny external access to the ports that those
services are listening on as well.
But if you are up for it, you might want to set up a simple DNS
server on the machine running ipfw, insert your ISPs DNS servers in
to the userland ppp.conf or in to /etc/resolv.conf, then point your
internal machines to use the DNS off of the internal interface of the
ipfw machine and tighten the above rule to be
$fwcmd add allow udp from x.x.x.x. 53 to ${oif} 1024-65535 in recv tun0
(${oif} is the outside interface, in this case tun0)
Now I've never played around with NAT , but with the original set of
rules wouldn't you still need a line in the ipfw rules to xmit the
incoming DNS responses via the inside interface? Or does NAT sort of
bypass the interface restrictions of ipfw?
>--
>Mark Murray
>Join the anti-SPAM movement: http://www.cauce.org
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
--
-----
Tom Legg
tjlegg@shore.net
http://www.shore.net/~tjlegg/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p04310102b53b25beb504>