Date: Fri, 03 Dec 1999 11:42:54 +0000 From: Adam Laurie <adam@algroup.co.uk> To: Nate Williams <nate@mt.sri.com> Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <3847ACBE.3D66A556@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nate Williams wrote:
>
> > > ipfw add X pass udp from any to ${dnsserver} 53
> > > ipfw add X+1 pass udp from ${dnsserver} 53 to any
> > > ipfw add X+2 deny log udp from any to any 53
> > > ipfw add X+3 dney log udp from any 53 to any
> >
> > This breaks one of the basic rules of firewalling... Trusting traffic
> > based on source address. To quote from the ipfw manual:
> >
> > Note that may be dangerous to filter on the source IP address or
> > source
> > TCP/UDP port because either or both could easily be spoofed.
> >
> > You've just let anyone that can spoof you DNS's source address onto any
> > UDP port.
>
> No he didn't, because you have spoofing rules in place *way* before
> these rules are in place. Now you're defending Rod who states that to
> have a good firewall, you need a lot more information about the internal
> network and services provided than can be produced generically.
If only life were that simple. I assume the rule you're reffering to is:
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
This simply stops traffic that's pretending to be your internal network
coming in from the outside, and vice versa. It does not help with other
networks being spoofed.
>
> However, I think what you're proposing is better than what exists, so
> gofer it!
Unfortunately I'm not in that position... I am merely suggesting some
fixes to the powers that be... If I ever get in touch with the person
that can actually make the changes, I have some further enhancements I'd
like to offer (a new section for a single pc, and moving most of the
variables like IP addresses out into rc.conf where they belong).
The bottom line is that if you're going to provide out-of-box firewall
rules, then they should be set up to protect the out-of-box
configuration. That shouldn't be too hard. Obviously, if the user then
starts adding their own services, they need to worry about their own
rules a bit more.
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3847ACBE.3D66A556>