Date: Fri, 03 Dec 1999 17:09:13 +0000 From: Adam Laurie <adam@algroup.co.uk> To: Nate Williams <nate@mt.sri.com> Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <3847F939.47978597@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk> <3847C0CB.2E9774A@algroup.co.uk> <199912031601.JAA10973@mt.sri.com> <3847F55E.B546B2EB@algroup.co.uk> <199912031658.JAA11193@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nate Williams wrote:
>
> > > > And, of course, it also means you are wide open to attack from a
> > > > compromised name server. I do not want to trust hosts. I want to trust
> > > > specific connections to specific services.
> > >
> > > How do you propose to stop a compromised name server from giving out
> > > bogus information using a firewall rule? I'm curious...
> >
> > Please re-read my statement. Who said anything about bogus
> > information?
>
> Compromised implies that the information is 'bogus' and/or wrong.
>
> > I'm talking about connecting to UDP ports (like NFS) that you're not
> > supposed to be able to connect to. Since his rule passes UDP that is
> > sourced from port 53 on the nameserver to ANY UDP port on ANY machine,
> > you are wide open to *attack*, not misinformation.
>
> Huh? How do you figure someone is going to *ATTACK* you by the process
> of *you* sending out information?
>
> > At some point, your chain of name servers has to talk to the outside
> > world, so this means the machine that does the final relay is open to
> > attack from the outside world.
>
> Right. But, they can only talk to known ports on your machine that you
> allow (including port 53). And, you only send out data *from* port 53
> (as well as other known ports). I'm *really* confused as to how you
> think sending out data from a known port will compromise your machine?
ipfw add X pass udp from any to ${dnsserver} 53
ipfw add X+1 pass udp from ${dnsserver} 53 to any
^^^^^^^^^^^^^^^^^^^^^^
This rule says the name server can talk to any UDP port on any machine
(including the firewall itself) as long as it's sourced from port 53.
Since I, as the attacker, now own the nameserver, I can use port 53 for
anything I like (as I demonstrated in my original post using netcat).
This works, believe me. I've done it. I can squirt data into a
"protected" syslog on port 514, which shouldn't be possible. Using my
rules, this is no longer possible.
[next bit cut from other sub-thread]
> As long as we don't allow 'spoofed' traffic to appear to be coming from
> $dnsserver, this is a very safe set of rules (although incomplete, as
> Rod points out).
How do you tell the difference between a spoofed packet and a
non-spoofed packet with ipfw?
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3847F939.47978597>