Date: Mon, 23 Aug 1999 15:08:30 -0600 From: Nate Williams <nate@mt.sri.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: nate@mt.sri.com (Nate Williams), freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules Message-ID: <199908232108.PAA02230@mt.sri.com> In-Reply-To: <199908232053.NAA36241@gndrsh.dnsmgr.net> References: <199908232024.OAA01685@mt.sri.com> <199908232053.NAA36241@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > I've got some rules in place, but if someone has gotten DNS firewall > > > > rules I'd be grateful to see them. > > > > > > These rules only log things, they are not meant to stop things, all logs > ^^^^^^^^ You didn't pay attention to this very > important point about what these rules DO. I also said later on how to > change them to do what you wanted. Sorry, you're right. I missed that. > > > ipfw add 10539 allow log tcp from any to any 53 > > > > This seems insecure to me. Any external host can connect to port 53 on > > your internal hosts. Also, internal hosts can 'leak' information out > > externally. > > You missed the clause above about ``only log things'', change that > rule from ``allow log'' to ``deny log'' and it does just what you > wanted. Gotcha. See below. > > > ipfw add 40530 allow udp from any to A.B.C.D 53 > > > > Fairly secure, as long as BIND on A.B.C.D is secure, which we hafta > > assume at some point. :) > > A.B.C.D is YOUR DNS server, you are in control of how secure it is. I know, I was (attempting) to be funny. Obviously I failed. :( > > > ipfw add 40530 allow udp from A.B.C.D 53 to any > > > ipfw add 40539 allow log udp from any to any 53 > > > > This is *NOT* secure, just like the TCP port. > > I'm ignoreing this, you didn't read very carefully. Right, it's the next rule that I *needed* though... > > > > > ipfw add 40539 allow log udp from any 53 to any > > > > This is also insecure, in that it allows anyone to use source port 53 to > > connect to *any* UDP port in your network. > > You have no idea what my other 400 rules do. All those other UDP ports > are handled some place else. If you wanted a full firewall rule set, > well, that'll be $100/hr... I've done my best, but I couldn't figure out a 'clean, effecient, and safe' way of allowing DNS (and NTP, which is in the same boat) to work. The rules before must disallow connections, but I don't see how you can do that and still allow connections from port 53. > > However, I don't like what I have, and was hoping someone could tell me > > how to lock things down better. > > Turn the box off? :-) :-) Yeah, wouldn't that be easy. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908232108.PAA02230>