From owner-freebsd-security Fri Dec 3 8:58:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 2F966151AB; Fri, 3 Dec 1999 08:58:39 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id JAA28685; Fri, 3 Dec 1999 09:58:22 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id JAA11193; Fri, 3 Dec 1999 09:58:21 -0700 Date: Fri, 3 Dec 1999 09:58:21 -0700 Message-Id: <199912031658.JAA11193@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Adam Laurie Cc: Nate Williams , "Rodney W. Grimes" , John Baldwin , freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited In-Reply-To: <3847F55E.B546B2EB@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk> <3847C0CB.2E9774A@algroup.co.uk> <199912031601.JAA10973@mt.sri.com> <3847F55E.B546B2EB@algroup.co.uk> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > And, of course, it also means you are wide open to attack from a > > > compromised name server. I do not want to trust hosts. I want to trust > > > specific connections to specific services. > > > > How do you propose to stop a compromised name server from giving out > > bogus information using a firewall rule? I'm curious... > > Please re-read my statement. Who said anything about bogus > information? Compromised implies that the information is 'bogus' and/or wrong. > I'm talking about connecting to UDP ports (like NFS) that you're not > supposed to be able to connect to. Since his rule passes UDP that is > sourced from port 53 on the nameserver to ANY UDP port on ANY machine, > you are wide open to *attack*, not misinformation. Huh? How do you figure someone is going to *ATTACK* you by the process of *you* sending out information? > At some point, your chain of name servers has to talk to the outside > world, so this means the machine that does the final relay is open to > attack from the outside world. Right. But, they can only talk to known ports on your machine that you allow (including port 53). And, you only send out data *from* port 53 (as well as other known ports). I'm *really* confused as to how you think sending out data from a known port will compromise your machine? If so, then every machine with external servics has the potential to be compromised by the very act of sending out information. Please remove my confusion. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message