Date: Thu, 02 Dec 1999 17:52:10 +0000 From: Adam Laurie <adam@algroup.co.uk> To: John Baldwin <jhb@FreeBSD.org> Cc: freebsd-security@FreeBSD.org Subject: Re: rc.firewall revisited Message-ID: <3846B1CA.21FD4270@algroup.co.uk> References: <199912021602.LAA37669@server.baldwin.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
John Baldwin wrote:
>
> On 02-Dec-99 Adam Laurie wrote:
> > My specific experience was that I found a hole in the default
> > rc.firewall rules. This hole means that UDP is totally unprotected
> > because of faulty rules for DNS and NTP. I posted a suggested fix to
> > the security-officer, and got an immediate reply saying "I agree
> > 100%". The security-officer is clearly also a list, because I then
> > got another reply from someone else, telling me how to configure my
> > DNS. This degenerated into a thread related to DNS server
> > configuration and entirely missing the point regarding ipfw. I then
> > suggested moving it to the wider forum of this list, and guess
> > what...? The same thing happened! The thread diappeared in a cloud
> > of irrelevant discussion about how to set up name servers. As I
> > say, I'm currently unaware of the status of rc.firewall, but when I
> > get around to checking it, if it hasn't been fixed, you'll be
> > reading about yourselves on bugtraq again! If it has been fixed,
> > then excellent, well done, etc. etc. :)
>
> I checked the logs, and no change has been committed. Your proposal is
> to replace:
>
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${ip}
> $fwcmd add pass udp from ${ip} to any 53
>
> # Allow NTP queries out in the world
> $fwcmd add pass udp from any 123 to ${ip}
> $fwcmd add pass udp from ${ip} to any 123
>
> with:
>
> # Block low port incoming UDP (and NFS) but allow replies for DNS,
> NTP
> # and all other high ports. Allow outgoing UDP.
> $fwcmd add pass udp from any to ${ip} 123
> $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
> $fwcmd add pass udp from any to any
>
> There were concerns about DNS replies to a local server. In -current
> and -stable, BIND is 8.2.x, so queries to the outside do not originate
> from 53 by default, and so replies do not come in to port 53. However,
> if machines inside the firewall use a DNS server on the firewall then
> you could have problems. Perhaps this instead then:
>
> # Allow NTP to this machine
> $fwcmd add pass udp from any to ${ip} 123
>
> # Allow DNS requests to this machine
> $fwcmd add pass udp from any to ${ip} 53
>
> # Deny all other incoming requests on low ports and NFS
> $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
>
> # Allow all outgoing UDP
> $fwcmd add pass udp from any to any
OK, well this more or less matches my own current iteration, so I have
no problem with that...
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3846B1CA.21FD4270>