From owner-freebsd-security Thu Dec 2 11:54:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 0948714E22; Thu, 2 Dec 1999 11:54:40 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA74271; Thu, 2 Dec 1999 11:54:39 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199912021954.LAA74271@gndrsh.dnsmgr.net> Subject: Re: rc.firewall revisited In-Reply-To: <199912021817.NAA54042@server.baldwin.cx> from John Baldwin at "Dec 2, 1999 01:17:59 pm" To: jhb@FreeBSD.org (John Baldwin) Date: Thu, 2 Dec 1999 11:54:38 -0800 (PST) Cc: freebsd-security@FreeBSD.org, adam@algroup.co.uk X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > On 02-Dec-99 Rodney W. Grimes wrote: > > ... > >> > > >> > # Allow all outgoing UDP > >> > $fwcmd add pass udp from any to any > > > > The comment for this does not match what the rule actually does, > > this rule has not ``outgoing'' about it at all.... > > Grrr.. perhaps this would be better: > > $fwcmd add pass udp from ${ip} to any > > >> OK, well this more or less matches my own current iteration, so I have > >> no problem with that... > > > > The above rule set reduces to nothing more than a deny to low ports > > and NFS due to missing via/in/out clauses.. > > Do you prefer your earlier proposal that used a $dnsserver variable then? I'd actually prefer that rc.firewall be pretty much either blank, or very carefully engineered. What is there now is a total joke, it only gives people false senses of security. If you must deal with DNS through a firewall you must make sure your bind is setup to do port 53 queries, only listen on specific IP addresses and then you can actually write the correct rules: ipfw add X pass udp from any to ${dnsserver} 53 ipfw add X+1 pass udp from ${dnsserver} 53 to any ipfw add X+2 deny log udp from any to any 53 ipfw add X+3 dney log udp from any 53 to any You also need to do similiar things for tcp/53. One can't be sure that the above will work, unless one can insure that all DNS clients are configured to query from port 53. If you have to remove this restriction you'll never get a set of rules thats worth a damn with respect to named. If this is a real firewall instead of just a host being protected you can be even strickter if you configure your internal DNS servers correctly, mandate that all internal DNS queries use these servers as forwarders, etc. This is way way way beyond the scope of what can easily be done in a stock /etc/rc.firewall. You will never be able to write an rc.firewall that is very good and generally applicable unless you define a lot of things about how the environment is set up, and tell the user how he needs to change his internal configuration such that it can work with this set of firewall rules. You need things like internal IP subnet range data, specific services on specific machines, allow protocols, my current simple set firewall uses 80 some odd variables to define this stuff, and it's not even close to be a good firewall :-) #!/bin/sh # $FreeBSD$ # rc.firewall # This is the file that a site should define it's firewall rule set in, # we recommend books X, Y and Z and man ipfw(8) as minimal reading before # attempting to create the content of this file. # # It is up to the user to write a correct set of firewall rules, network # environments are far to varied to even attempt for FreeBSD to provide # a template, as it would most defanitly be wrong at some unknown number # of sites. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message