Date: Thu, 2 Dec 1999 16:43:12 -0700 From: Nate Williams <nate@mt.sri.com> To: Adam Laurie <adam@algroup.co.uk> Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <199912022343.QAA08462@mt.sri.com> In-Reply-To: <3846FA12.F1480F19@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> > ipfw add X pass udp from any to ${dnsserver} 53
> > ipfw add X+1 pass udp from ${dnsserver} 53 to any
> > ipfw add X+2 deny log udp from any to any 53
> > ipfw add X+3 dney log udp from any 53 to any
>
> This breaks one of the basic rules of firewalling... Trusting traffic
> based on source address. To quote from the ipfw manual:
>
> Note that may be dangerous to filter on the source IP address or
> source
> TCP/UDP port because either or both could easily be spoofed.
>
> You've just let anyone that can spoof you DNS's source address onto any
> UDP port.
No he didn't, because you have spoofing rules in place *way* before
these rules are in place. Now you're defending Rod who states that to
have a good firewall, you need a lot more information about the internal
network and services provided than can be produced generically.
However, I think what you're proposing is better than what exists, so
gofer it!
Nate
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912022343.QAA08462>