Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 2 Dec 1999 11:54:38 -0800 (PST)
From:      "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
To:        jhb@FreeBSD.org (John Baldwin)
Cc:        freebsd-security@FreeBSD.org, adam@algroup.co.uk
Subject:   Re: rc.firewall revisited
Message-ID:  <199912021954.LAA74271@gndrsh.dnsmgr.net>
In-Reply-To: <199912021817.NAA54042@server.baldwin.cx> from John Baldwin at "Dec 2, 1999 01:17:59 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
> 
> On 02-Dec-99 Rodney W. Grimes wrote:
> > ...
> >> > 
> >> >     # Allow all outgoing UDP
> >> >     $fwcmd add pass udp from any to any
> > 
> > The comment for this does not match what the rule actually does,
> > this rule has not ``outgoing'' about it at all....
> 
> Grrr..  perhaps this would be better:
> 
>    $fwcmd add pass udp from ${ip} to any
> 
> >> OK, well this more or less matches my own current iteration, so I have
> >> no problem with that...
> > 
> > The above rule set reduces to nothing more than a deny to low ports
> > and NFS due to missing via/in/out clauses..
> 
> Do you prefer your earlier proposal that used a $dnsserver variable then?

I'd actually prefer that rc.firewall be pretty much either blank, or very
carefully engineered.  What is there now is a total joke, it only gives
people false senses of security.

If you must deal with DNS through a firewall you must make sure your
bind is setup to do port 53 queries, only listen on specific IP addresses
and then you can actually write the correct rules:

ipfw add X pass udp from any to ${dnsserver} 53
ipfw add X+1 pass udp from ${dnsserver} 53 to any
ipfw add X+2 deny log udp from any to any 53
ipfw add X+3 dney log udp from any 53 to any

You also need to do similiar things for tcp/53.

One can't be sure that the above will work, unless one can insure that
all DNS clients are configured to query from port 53.  If you have to
remove this restriction you'll never get a set of rules thats worth a
damn with respect to named.  If this is a real firewall instead of just
a host being protected you can be even strickter if you configure your
internal DNS servers correctly, mandate that all internal DNS queries
use these servers as forwarders, etc.  This is way way way beyond the
scope of what can easily be done in a stock /etc/rc.firewall.

You will never be able to write an rc.firewall that is very good and generally
applicable unless you define a lot of things about how the environment is set
up, and tell the user how he needs to change his internal configuration such
that it can work with this set of firewall rules.  

You need things like internal IP subnet range data, specific services on
specific machines, allow protocols,  my current simple set firewall uses
80 some odd variables to define this stuff, and it's not even close to be
a good firewall :-)

#!/bin/sh
# $FreeBSD$
# rc.firewall

# This is the file that a site should define it's firewall rule set in,
# we recommend books X, Y and Z and man ipfw(8) as minimal reading before
# attempting to create the content of this file.
#
# It is up to the user to write a correct set of firewall rules, network
# environments are far to varied to even attempt for FreeBSD to provide
# a template, as it would most defanitly be wrong at some unknown number
# of sites.

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912021954.LAA74271>