Date: Fri, 3 Dec 1999 09:25:38 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: adam@algroup.co.uk (Adam Laurie) Cc: nate@mt.sri.com (Nate Williams), jhb@FreeBSD.ORG (John Baldwin), freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <199912031725.JAA77320@gndrsh.dnsmgr.net> In-Reply-To: <3847C0CB.2E9774A@algroup.co.uk> from Adam Laurie at "Dec 3, 1999 01:08:27 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Adam Laurie wrote:
> >
> > Nate Williams wrote:
> > >
> > > > > ipfw add X pass udp from any to ${dnsserver} 53
> > > > > ipfw add X+1 pass udp from ${dnsserver} 53 to any
> > > > > ipfw add X+2 deny log udp from any to any 53
> > > > > ipfw add X+3 dney log udp from any 53 to any
> > > >
> > > > This breaks one of the basic rules of firewalling... Trusting traffic
> > > > based on source address. To quote from the ipfw manual:
Only wildcard source address above is allowed only to a specif host and
port, you _have_ to do this unless a belt and suspender internal/external
DNS configuration firewall is built. If you expect the default
/etc/rc.firewall to support belt and suspender your dreaming.
> > > >
> > > > Note that may be dangerous to filter on the source IP address or
> > > > source
> > > > TCP/UDP port because either or both could easily be spoofed.
> > > >
> > > > You've just let anyone that can spoof you DNS's source address onto any
> > > > UDP port.
>
> And, of course, it also means you are wide open to attack from a
> compromised name server. I do not want to trust hosts. I want to trust
> specific connections to specific services.
Then you want a customer written from scratch firewall set, not the
generic supplied /etc/rc.firewall and someone might as well commit my 5
liner that says go read book x y and z to see how to write this file.
Your not going to get any better than the above 4 rule set for a generic
/etc/rc.firewall and still have a functional network without something
so large no novice could even start to understand it.
I am going to leave this conversation now, it seems that your wants and
reality do not coincide with what we could accomodate in a generic
/etc/rc.firewall. Nor does it appear that your understanding of the
above rule set is complete.
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912031725.JAA77320>