Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 3 Dec 1999 09:00:35 -0700
From:      Nate Williams <nate@mt.sri.com>
To:        Adam Laurie <adam@algroup.co.uk>
Cc:        Nate Williams <nate@mt.sri.com>, "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG
Subject:   Re: rc.firewall revisited
Message-ID:  <199912031600.JAA10966@mt.sri.com>
In-Reply-To: <3847ACBE.3D66A556@algroup.co.uk>
References:  <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
> > > > ipfw add X pass udp from any to ${dnsserver} 53
> > > > ipfw add X+1 pass udp from ${dnsserver} 53 to any
> > > > ipfw add X+2 deny log udp from any to any 53
> > > > ipfw add X+3 dney log udp from any 53 to any
> > >
> > > This breaks one of the basic rules of firewalling... Trusting traffic
> > > based on source address. To quote from the ipfw manual:
> > >
> > >      Note that may be dangerous to filter on the source IP address or
> > > source
> > >      TCP/UDP port because either or both could easily be spoofed.
> > >
> > > You've just let anyone that can spoof you DNS's source address onto any
> > > UDP port.
> > 
> > No he didn't, because you have spoofing rules in place *way* before
> > these rules are in place.  Now you're defending Rod who states that to
> > have a good firewall, you need a lot more information about the internal
> > network and services provided than can be produced generically.
> 
> If only life were that simple. I assume the rule you're reffering to is:
> 
>     # Stop spoofing
>     $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
>     $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
> 
> This simply stops traffic that's pretending to be your internal network
> coming in from the outside, and vice versa. It does not help with other
> networks being spoofed.

True, but neither did the rules you (?) proposed previously.  The rules
Rod listed limited the packets to come/go *only* from the internal DNS
server on the network, so in no way makes it any worse that what was
proposed, and only makes it better.  However, they require more
knowledge of the external IP address of the box as well as the external
interface, along with the internal IP addresses.

> The bottom line is that if you're going to provide out-of-box firewall
> rules, then they should be set up to protect the out-of-box
> configuration.

I don't believe you can do a great job of that, but we can do a better
job than what we're currently doing.



Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912031600.JAA10966>