From owner-freebsd-ipfw Tue May 30 9:49:27 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 5F55737B892 for ; Tue, 30 May 2000 09:49:25 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id JAA32109; Tue, 30 May 2000 09:48:59 -0700 (PDT) From: Archie Cobbs Message-Id: <200005301648.JAA32109@bubba.whistle.com> Subject: Re: rc.firewall rule 200 In-Reply-To: <200005290407.AAA20103@dreamscape.com> from "Mark W. Krentel" at "May 29, 2000 00:07:29 am" To: krentel@dreamscape.com (Mark W. Krentel) Date: Tue, 30 May 2000 09:48:59 -0700 (PDT) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mark W. Krentel writes: > Last week, I asked about some of the rc.firewall rules. I've looked > at them in more detail and I have a few more comments. I apologize in > advance if I'm being dense about this. > > (1) My conclusion is that rule 200 doesn't really add anything for > security. > > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > Now, I realize that anything matching rule 200 cannot possibly be > legitimate, and that's reason enough to deny it. But the claim was > that someone on the same network could circumvent the firewall by > using the machine's 127.0.0.1 address, as in the following attack. > > ifconfig lo0 down delete > route add 127.0.0.0 > telnet 127.0.0.1 > > I don't see where this attack accomplishes anything. An outside > packet destined for 127.0.0.1 must first enter on an interface other > than loopback. At that point it's confronted with the same rules > whether it's destined for 127.0.0.1 or the machine's legit address. > The point is that a hacker can just as easily use the machine's legit > address and face the same set of rules. But.. sometimes sensitive services are running bound (only) to the address 127.0.0.1, and there are no firewall rules to protect them, because normally none are needed. By doing the 'route add ..' trick an adversary can negate this assumption. If you happen to be relying on it, you're in trouble. As an example, you have to look no farther than FreeBSD two years ago: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall (revision 1.19) http://www.FreeBSD.org/cgi/query-pr.cgi?pr=6406 -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message