From owner-freebsd-security Thu Dec 2 9:52:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id CD4F414E0B; Thu, 2 Dec 1999 09:52:40 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id RAA19697; Thu, 2 Dec 1999 17:52:09 GMT Message-ID: <3846B1CA.21FD4270@algroup.co.uk> Date: Thu, 02 Dec 1999 17:52:10 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: John Baldwin Cc: freebsd-security@FreeBSD.org Subject: Re: rc.firewall revisited References: <199912021602.LAA37669@server.baldwin.cx> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Baldwin wrote: > > On 02-Dec-99 Adam Laurie wrote: > > My specific experience was that I found a hole in the default > > rc.firewall rules. This hole means that UDP is totally unprotected > > because of faulty rules for DNS and NTP. I posted a suggested fix to > > the security-officer, and got an immediate reply saying "I agree > > 100%". The security-officer is clearly also a list, because I then > > got another reply from someone else, telling me how to configure my > > DNS. This degenerated into a thread related to DNS server > > configuration and entirely missing the point regarding ipfw. I then > > suggested moving it to the wider forum of this list, and guess > > what...? The same thing happened! The thread diappeared in a cloud > > of irrelevant discussion about how to set up name servers. As I > > say, I'm currently unaware of the status of rc.firewall, but when I > > get around to checking it, if it hasn't been fixed, you'll be > > reading about yourselves on bugtraq again! If it has been fixed, > > then excellent, well done, etc. etc. :) > > I checked the logs, and no change has been committed. Your proposal is > to replace: > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${ip} > $fwcmd add pass udp from ${ip} to any 53 > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${ip} > $fwcmd add pass udp from ${ip} to any 123 > > with: > > # Block low port incoming UDP (and NFS) but allow replies for DNS, > NTP > # and all other high ports. Allow outgoing UDP. > $fwcmd add pass udp from any to ${ip} 123 > $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 > $fwcmd add pass udp from any to any > > There were concerns about DNS replies to a local server. In -current > and -stable, BIND is 8.2.x, so queries to the outside do not originate > from 53 by default, and so replies do not come in to port 53. However, > if machines inside the firewall use a DNS server on the firewall then > you could have problems. Perhaps this instead then: > > # Allow NTP to this machine > $fwcmd add pass udp from any to ${ip} 123 > > # Allow DNS requests to this machine > $fwcmd add pass udp from any to ${ip} 53 > > # Deny all other incoming requests on low ports and NFS > $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 > > # Allow all outgoing UDP > $fwcmd add pass udp from any to any OK, well this more or less matches my own current iteration, so I have no problem with that... cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message