Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 02 Dec 1999 23:00:34 +0000
From:      Adam Laurie <adam@algroup.co.uk>
To:        "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc:        John Baldwin <jhb@FreeBSD.org>, freebsd-security@FreeBSD.org
Subject:   Re: rc.firewall revisited
Message-ID:  <3846FA12.F1480F19@algroup.co.uk>
References:  <199912021954.LAA74271@gndrsh.dnsmgr.net>

next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" wrote:
> 
> >
> > On 02-Dec-99 Rodney W. Grimes wrote:
> > > ...
> > >> >
> > >> >     # Allow all outgoing UDP
> > >> >     $fwcmd add pass udp from any to any
> > >
> > > The comment for this does not match what the rule actually does,
> > > this rule has not ``outgoing'' about it at all....
> >
> > Grrr..  perhaps this would be better:
> >
> >    $fwcmd add pass udp from ${ip} to any
> >
> > >> OK, well this more or less matches my own current iteration, so I have
> > >> no problem with that...
> > >
> > > The above rule set reduces to nothing more than a deny to low ports
> > > and NFS due to missing via/in/out clauses..
> >
> > Do you prefer your earlier proposal that used a $dnsserver variable then?
> 
> I'd actually prefer that rc.firewall be pretty much either blank, or very
> carefully engineered.  What is there now is a total joke, it only gives
> people false senses of security.

I agree. What we're trying to do is engineer it... The current one is
actually broken, and that needs fixing.

> 
> If you must deal with DNS through a firewall you must make sure your
> bind is setup to do port 53 queries, only listen on specific IP addresses
> and then you can actually write the correct rules:

The proposed rule deals with both "properly" and otherwise configured
DNS so I don't see what the objection is.

> 
> ipfw add X pass udp from any to ${dnsserver} 53
> ipfw add X+1 pass udp from ${dnsserver} 53 to any
> ipfw add X+2 deny log udp from any to any 53
> ipfw add X+3 dney log udp from any 53 to any

This breaks one of the basic rules of firewalling... Trusting traffic
based on source address. To quote from the ipfw manual:

     Note that may be dangerous to filter on the source IP address or
source
     TCP/UDP port because either or both could easily be spoofed.

You've just let anyone that can spoof you DNS's source address onto any
UDP port.

> 
> You also need to do similiar things for tcp/53.
> 
> One can't be sure that the above will work, unless one can insure that
> all DNS clients are configured to query from port 53.  If you have to
> remove this restriction you'll never get a set of rules thats worth a
> damn with respect to named.  If this is a real firewall instead of just
> a host being protected you can be even strickter if you configure your
> internal DNS servers correctly, mandate that all internal DNS queries
> use these servers as forwarders, etc.  This is way way way beyond the
> scope of what can easily be done in a stock /etc/rc.firewall.
> 
> You will never be able to write an rc.firewall that is very good and generally
> applicable unless you define a lot of things about how the environment is set
> up, and tell the user how he needs to change his internal configuration such
> that it can work with this set of firewall rules.
> 
> You need things like internal IP subnet range data, specific services on
> specific machines, allow protocols,  my current simple set firewall uses
> 80 some odd variables to define this stuff, and it's not even close to be
> a good firewall :-)
> 
> #!/bin/sh
> # $FreeBSD$
> # rc.firewall
> 
> # This is the file that a site should define it's firewall rule set in,
> # we recommend books X, Y and Z and man ipfw(8) as minimal reading before
> # attempting to create the content of this file.
> #
> # It is up to the user to write a correct set of firewall rules, network
> # environments are far to varied to even attempt for FreeBSD to provide
> # a template, as it would most defanitly be wrong at some unknown number
> # of sites.

That is indeed a reasonable alternative... :)

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3846FA12.F1480F19>