Date: Fri, 3 Dec 1999 09:25:38 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: adam@algroup.co.uk (Adam Laurie) Cc: nate@mt.sri.com (Nate Williams), jhb@FreeBSD.ORG (John Baldwin), freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <199912031725.JAA77320@gndrsh.dnsmgr.net> In-Reply-To: <3847C0CB.2E9774A@algroup.co.uk> from Adam Laurie at "Dec 3, 1999 01:08:27 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Adam Laurie wrote: > > > > Nate Williams wrote: > > > > > > > > ipfw add X pass udp from any to ${dnsserver} 53 > > > > > ipfw add X+1 pass udp from ${dnsserver} 53 to any > > > > > ipfw add X+2 deny log udp from any to any 53 > > > > > ipfw add X+3 dney log udp from any 53 to any > > > > > > > > This breaks one of the basic rules of firewalling... Trusting traffic > > > > based on source address. To quote from the ipfw manual: Only wildcard source address above is allowed only to a specif host and port, you _have_ to do this unless a belt and suspender internal/external DNS configuration firewall is built. If you expect the default /etc/rc.firewall to support belt and suspender your dreaming. > > > > > > > > Note that may be dangerous to filter on the source IP address or > > > > source > > > > TCP/UDP port because either or both could easily be spoofed. > > > > > > > > You've just let anyone that can spoof you DNS's source address onto any > > > > UDP port. > > And, of course, it also means you are wide open to attack from a > compromised name server. I do not want to trust hosts. I want to trust > specific connections to specific services. Then you want a customer written from scratch firewall set, not the generic supplied /etc/rc.firewall and someone might as well commit my 5 liner that says go read book x y and z to see how to write this file. Your not going to get any better than the above 4 rule set for a generic /etc/rc.firewall and still have a functional network without something so large no novice could even start to understand it. I am going to leave this conversation now, it seems that your wants and reality do not coincide with what we could accomodate in a generic /etc/rc.firewall. Nor does it appear that your understanding of the above rule set is complete. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912031725.JAA77320>