Date: Mon, 29 May 2000 00:07:29 -0400 (EDT) From: "Mark W. Krentel" <krentel@dreamscape.com> To: freebsd-ipfw@FreeBSD.ORG Cc: archie@whistle.com Subject: Re: rc.firewall rule 200 Message-ID: <200005290407.AAA20103@dreamscape.com>
next in thread | raw e-mail | index | archive | help
Last week, I asked about some of the rc.firewall rules. I've looked
at them in more detail and I have a few more comments. I apologize in
advance if I'm being dense about this.
(1) My conclusion is that rule 200 doesn't really add anything for
security.
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
Now, I realize that anything matching rule 200 cannot possibly be
legitimate, and that's reason enough to deny it. But the claim was
that someone on the same network could circumvent the firewall by
using the machine's 127.0.0.1 address, as in the following attack.
ifconfig lo0 down delete
route add 127.0.0.0 <your-machine-ip-address>
telnet 127.0.0.1
I don't see where this attack accomplishes anything. An outside
packet destined for 127.0.0.1 must first enter on an interface other
than loopback. At that point it's confronted with the same rules
whether it's destined for 127.0.0.1 or the machine's legit address.
The point is that a hacker can just as easily use the machine's legit
address and face the same set of rules.
(2) The UDP rules (client and simple types) seem a little loose to me.
${fwcmd} add pass udp from any 53 to ${ip}
${fwcmd} add pass udp from ${ip} to any 53
${fwcmd} add pass udp from any 123 to ${ip}
${fwcmd} add pass udp from ${ip} to any 123
These rules allow access by anyone to all UDP ports (NFS, syslog, etc)
if the attack is made from port 53 or 123. I would suggest adding
source address to the rules. Assuming you don't want to add another
parameter for DNS server address (like net, mask and ip), you could
put a note in a comment.
# Allow DNS queries out in the world
# Can strengthen these rules by replacing "any" with the
# IP address of your DNS server.
${fwcmd} add pass udp from any 53 to ${ip}
${fwcmd} add pass udp from ${ip} to any 53
(3) And I'll make one more pitch for blocking spoofs of localhost with
the following rule.
${fwcmd} add 400 deny all from 127.0.0.0/8 to any
The firewall type "simple" blocks spoofing of the inside network
addresses (as it certainly should). I just don't see where spoofing
localhost is any less dangerous.
Just my $0.02.
--Mark
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005290407.AAA20103>