Date: Mon, 01 Nov 1999 16:22:37 +0100 From: sthaug@nethelp.no To: adam@algroup.co.uk Cc: security@FreeBSD.ORG Subject: Re: hole(s) in default rc.firewall rules Message-ID: <46576.941469757@verdi.nethelp.no> In-Reply-To: Your message of "Mon, 01 Nov 1999 15:16:57 %2B0000" References: <381DAEE9.75C2EDA5@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> By setting their source port to 53 or 123, an attacker can bypass your
> firewall and connect to any UDP listener.
>
> I propose the following alternative:
>
> # Block low port incoming UDP (and NFS) but allow replies for DNS,
> NTP
> # and all other high ports. Allow outgoing UDP.
> $fwcmd add pass udp from any to ${ip} 123
> $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
> $fwcmd add pass udp from any to any
If you block incoming UDP traffic with source port 53, you have very
effectively blocked answers from all name servers outside your firewall.
Is that what you want to do?
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46576.941469757>