From owner-freebsd-security@FreeBSD.ORG Fri Mar 21 16:42:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A90B9A48 for ; Fri, 21 Mar 2014 16:42:44 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 694B31FD for ; Fri, 21 Mar 2014 16:42:44 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 288258CD6; Fri, 21 Mar 2014 16:42:43 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 74A19940; Fri, 21 Mar 2014 17:42:35 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ian Smith Subject: Re: URGENT? References: <45158.1395348066@server1.tristatelogic.com> <20140322000445.C31989@sola.nimnet.asn.au> Date: Fri, 21 Mar 2014 17:42:35 +0100 In-Reply-To: <20140322000445.C31989@sola.nimnet.asn.au> (Ian Smith's message of "Sat, 22 Mar 2014 02:25:19 +1100 (EST)") Message-ID: <86r45v7bb8.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, "Ronald F. Guilmette" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2014 16:42:44 -0000 Ian Smith writes: > Just on your last point: if your internet-connected device is providing > any services whatsoever on its outside interface (netstat -finet -an)=20 Or sockstat -4l, which is far more readable. > As assorted experts have suggested, you need a stateful rule. It's=20 > really not that hard; if you _only_ needed to protect ntp on udp: > > kldload ipfw && add 65000 allow ip from any to any # load null fw > ipfw add allow udp from me to any ntp out xmit $outsideif keep-state > ipfw add deny udp from any to me ntp in recv $outsideif > > Done. Perfectly configured for this one purpose, statefully no less .. Wrong, wrong, wrong. Whitelist, not blacklist. I haven't used ipfw in years, but with pf: | set block-policy return | set skip on lo0 | scrub in all | block quick inet6 | block log all |=20 | # allow ping | pass inet proto icmp all icmp-type echoreq |=20 | # allow incoming ssh | pass in inet proto tcp from any to self port ssh |=20 | # allow outgoing tcp | pass out on proto tcp from self to any |=20 | # allow outgoing DNS and NTP | pass out inet proto udp from self to any port { domain, ntp } Unlike ipfw, pf keeps state by default and retains it when you reload the ruleset, so you can safely do "sudo service pf reload" over ssh. Note that I didn't include echoresp in the list of allowed ICMP types, because an incoming or outgoing echoreq packet will create a state rule which allows the corresponding echoresp. I have the following rule at on at least one machine: | # Allow outgoing TCP RST packets | pass out proto tcp from any to any flags R/R no state but I don't remember the exact circumstances in which outgoing RST packets were being blocked. Try connecting to a TCP port other than ssh from outside, and if the connection times out instead of immediately failing, you need the RST rule. This ruleset blocks UDP traceroute. Use TCP ('traceroute -P TCP host') instead. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no