Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 03 Jul 2005 00:05:24 -0000
From:      Robert Watson <rwatson@freebsd.org>
To:        Alexey Dokuchaev <danfe@cytherea.weblab.nsu.ru>
Cc:        arch@freebsd.org, ipfw@freebsd.org
Subject:   Re: Improvements to ipfw code (followup)
Message-ID:  <Pine.NEB.3.96L.1020219113924.388H-100000@fledge.watson.org>
In-Reply-To: <20020219165630.A62749@cytherea.weblab.nsu.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
Just as a slight follow-up I should have included in my earlier e-mail:
the merging of ucred and pcred should make this patch now be able to
support real and saved uids/gids as well as effective uids/gids, meaning
that it can be used to also restrict setuid applications such as ping.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services

On Tue, 19 Feb 2002, Alexey Dokuchaev wrote:

> Hello,
> 
> Back in 1997, an email was sent to hackers@ about some substantial firewall code improvements,
> along with a patch, by Julian Assange <proff@{iq.org,suburbia.net}>.  A PR (misc/2386) was then
> filled, but marked 'closed' shortly after submission due to 'Misfiled PR' reason.  It seems to
> never raise any interest afterwards, despite the fact that this work definitely worth considering.
> 
> I will forward original mail at the end for those who's interested.  My particular interest in
> this comes from a fact that uid/gid-based IPFW filtering only works for outgoing connections,
> which is a neat thing of course.  However, to be able to provide any service, I need to allow
> incoming connections as well, and this is where I got somewhat disappointed: I cannot control
> who's bind()'ing to whatever port (if outside setup connections are allowed), and if, say, for
> whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user process can issue bind()
> to the [freed] unprivileged port.  One might say this is not a big deal, since servers tend to
> restart themselves in case of any failure, however, for example, FTP passive mode requires setup
> connections allowed in certain port range, and I really want only ftp user to be able to bind()
> to those ports.  At present, there is no way in IPFW to open ports for specific user/group only,
> while Julian's patch seems to solve the problem.
> 
> Time to revise this stuff again? :-)
> 
> The URL Julian gives in his email is no longer valid, but his patches are in PR misc/2386, and
> also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff.
> 
> Sincerely,
> Alexey Dokuchaev
> 
> ------ Forwarded message ------
> Date:      Tue, 7 Jan 1997 07:01:16 +1100 (EST)
> From:      proff@suburbia.net
> To:        hackers@freebsd.org, security@freebsd.org
> Subject:   new firewall code [uid/gid/bind() etc]
> Message-ID:  <19970106200116.16168.qmail@suburbia.net>
> 
> I tried posting the patches but, at 55k, it seems majordumbo has
> (silently) rejected them. You may find them at:
> 
> 	ftp://suburbia.net/tmp/ipfw.diff
> 
> My "socket credentials" patches allow you to:
> 
> 	punch wormholes, or restrict access to the IPPORT_RESERVED space, or
> 	restrict access to bind() altogether based on:
> 
> 		(a) uid
> 		(b) gid (including secondary groups)
> 		(c) port
> 		(d) protocol
> 		(e) interface
> 
> And more importantly:
> 
> 	Restrict access to packets being sent/received on any socket based on:
> 
> 		(a) the packet (per normal ipfw rules)
> 		(b) uid
> 		(c) gid (including secondary groups)
> 
> The former permits constructs like:
> 
> /* let uid sendmail bind to port 25 */
> # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind
> 
> /* only let inetd bind - we presume inetd still needs to run as root
>    for uid switching when forking off clients */
> 
> # addgroup inetd
> # chgrp inetd /usr/sbin/inetd
> # chmod 2700 /usr/sbin/inetd
> # killall inetd
> # ipfw add accept all from any to any bind gid inetd uid root
> # /* default policy is to deny bind */
> 
> /* keep those without security clearance out of secret network */
> # ipfw add accept all from any to any via ed0 gid secret
> # ipfw add deny all from any to any via ed0 gid any
> 
> Loging has also been enhanced:
> 
> # ipfw add 60000 accept log all from any to any bind
> /* example of named starting up */
> 
> ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind
> 
> Cheers,
> Julian <proff@iq.org>
> 
> ------ End of forwarded message ------
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-arch" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020219113924.388H-100000>