Date: Fri, 3 Dec 1999 09:48:38 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: adam@algroup.co.uk (Adam Laurie) Cc: nate@mt.sri.com (Nate Williams), jhb@FreeBSD.ORG (John Baldwin), freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <199912031748.JAA77378@gndrsh.dnsmgr.net> In-Reply-To: <3847F55E.B546B2EB@algroup.co.uk> from Adam Laurie at "Dec 3, 1999 04:52:46 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Nate Williams wrote: > > > > > > > And, of course, it also means you are wide open to attack from a > > > compromised name server. I do not want to trust hosts. I want to trust > > > specific connections to specific services. > > > > How do you propose to stop a compromised name server from giving out > > bogus information using a firewall rule? I'm curious... > > Please re-read my statement. Who said anything about bogus information? > I'm talking about connecting to UDP ports (like NFS) that you're not > supposed to be able to connect to. Since his rule passes UDP that is > sourced from port 53 on the nameserver to ANY UDP port on ANY machine, > you are wide open to *attack*, not misinformation. At some point, your > chain of name servers has to talk to the outside world, so this means > the machine that does the final relay is open to attack from the outside > world. Some one hand Adam a pair of wire cutters, that is the only way he is going to get the firewall he wants. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912031748.JAA77378>