From owner-freebsd-security Fri Dec 3 9:49:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 87ABE151E7; Fri, 3 Dec 1999 09:49:20 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA77378; Fri, 3 Dec 1999 09:48:38 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199912031748.JAA77378@gndrsh.dnsmgr.net> Subject: Re: rc.firewall revisited In-Reply-To: <3847F55E.B546B2EB@algroup.co.uk> from Adam Laurie at "Dec 3, 1999 04:52:46 pm" To: adam@algroup.co.uk (Adam Laurie) Date: Fri, 3 Dec 1999 09:48:38 -0800 (PST) Cc: nate@mt.sri.com (Nate Williams), jhb@FreeBSD.ORG (John Baldwin), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Nate Williams wrote: > > > > > > > And, of course, it also means you are wide open to attack from a > > > compromised name server. I do not want to trust hosts. I want to trust > > > specific connections to specific services. > > > > How do you propose to stop a compromised name server from giving out > > bogus information using a firewall rule? I'm curious... > > Please re-read my statement. Who said anything about bogus information? > I'm talking about connecting to UDP ports (like NFS) that you're not > supposed to be able to connect to. Since his rule passes UDP that is > sourced from port 53 on the nameserver to ANY UDP port on ANY machine, > you are wide open to *attack*, not misinformation. At some point, your > chain of name servers has to talk to the outside world, so this means > the machine that does the final relay is open to attack from the outside > world. Some one hand Adam a pair of wire cutters, that is the only way he is going to get the firewall he wants. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message