Date: Fri, 03 Dec 1999 16:52:46 +0000 From: Adam Laurie <adam@algroup.co.uk> To: Nate Williams <nate@mt.sri.com> Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <3847F55E.B546B2EB@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk> <3847C0CB.2E9774A@algroup.co.uk> <199912031601.JAA10973@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nate Williams wrote: > > > > And, of course, it also means you are wide open to attack from a > > compromised name server. I do not want to trust hosts. I want to trust > > specific connections to specific services. > > How do you propose to stop a compromised name server from giving out > bogus information using a firewall rule? I'm curious... Please re-read my statement. Who said anything about bogus information? I'm talking about connecting to UDP ports (like NFS) that you're not supposed to be able to connect to. Since his rule passes UDP that is sourced from port 53 on the nameserver to ANY UDP port on ANY machine, you are wide open to *attack*, not misinformation. At some point, your chain of name servers has to talk to the outside world, so this means the machine that does the final relay is open to attack from the outside world. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3847F55E.B546B2EB>