From owner-freebsd-security Thu Dec 2 15: 2:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id E3F0014C5A; Thu, 2 Dec 1999 15:02:17 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id XAA03407; Thu, 2 Dec 1999 23:00:33 GMT Message-ID: <3846FA12.F1480F19@algroup.co.uk> Date: Thu, 02 Dec 1999 23:00:34 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: "Rodney W. Grimes" Cc: John Baldwin , freebsd-security@FreeBSD.org Subject: Re: rc.firewall revisited References: <199912021954.LAA74271@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rodney W. Grimes" wrote: > > > > > On 02-Dec-99 Rodney W. Grimes wrote: > > > ... > > >> > > > >> > # Allow all outgoing UDP > > >> > $fwcmd add pass udp from any to any > > > > > > The comment for this does not match what the rule actually does, > > > this rule has not ``outgoing'' about it at all.... > > > > Grrr.. perhaps this would be better: > > > > $fwcmd add pass udp from ${ip} to any > > > > >> OK, well this more or less matches my own current iteration, so I have > > >> no problem with that... > > > > > > The above rule set reduces to nothing more than a deny to low ports > > > and NFS due to missing via/in/out clauses.. > > > > Do you prefer your earlier proposal that used a $dnsserver variable then? > > I'd actually prefer that rc.firewall be pretty much either blank, or very > carefully engineered. What is there now is a total joke, it only gives > people false senses of security. I agree. What we're trying to do is engineer it... The current one is actually broken, and that needs fixing. > > If you must deal with DNS through a firewall you must make sure your > bind is setup to do port 53 queries, only listen on specific IP addresses > and then you can actually write the correct rules: The proposed rule deals with both "properly" and otherwise configured DNS so I don't see what the objection is. > > ipfw add X pass udp from any to ${dnsserver} 53 > ipfw add X+1 pass udp from ${dnsserver} 53 to any > ipfw add X+2 deny log udp from any to any 53 > ipfw add X+3 dney log udp from any 53 to any This breaks one of the basic rules of firewalling... Trusting traffic based on source address. To quote from the ipfw manual: Note that may be dangerous to filter on the source IP address or source TCP/UDP port because either or both could easily be spoofed. You've just let anyone that can spoof you DNS's source address onto any UDP port. > > You also need to do similiar things for tcp/53. > > One can't be sure that the above will work, unless one can insure that > all DNS clients are configured to query from port 53. If you have to > remove this restriction you'll never get a set of rules thats worth a > damn with respect to named. If this is a real firewall instead of just > a host being protected you can be even strickter if you configure your > internal DNS servers correctly, mandate that all internal DNS queries > use these servers as forwarders, etc. This is way way way beyond the > scope of what can easily be done in a stock /etc/rc.firewall. > > You will never be able to write an rc.firewall that is very good and generally > applicable unless you define a lot of things about how the environment is set > up, and tell the user how he needs to change his internal configuration such > that it can work with this set of firewall rules. > > You need things like internal IP subnet range data, specific services on > specific machines, allow protocols, my current simple set firewall uses > 80 some odd variables to define this stuff, and it's not even close to be > a good firewall :-) > > #!/bin/sh > # $FreeBSD$ > # rc.firewall > > # This is the file that a site should define it's firewall rule set in, > # we recommend books X, Y and Z and man ipfw(8) as minimal reading before > # attempting to create the content of this file. > # > # It is up to the user to write a correct set of firewall rules, network > # environments are far to varied to even attempt for FreeBSD to provide > # a template, as it would most defanitly be wrong at some unknown number > # of sites. That is indeed a reasonable alternative... :) cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message