From owner-freebsd-ipfw Sun May 28 21: 9:11 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from io.dreamscape.com (io.dreamscape.com [206.64.128.6]) by hub.freebsd.org (Postfix) with ESMTP id 752AE37BB57 for ; Sun, 28 May 2000 21:08:43 -0700 (PDT) (envelope-from krentel@dreamscape.com) Received: from dreamscape.com (sA9-p5.dreamscape.com [207.198.13.197]) by io.dreamscape.com (8.9.3/8.8.4) with ESMTP id AAA10623; Mon, 29 May 2000 00:07:35 -0400 (EDT) X-Dreamscape-Track-A: sA9-p5.dreamscape.com [207.198.13.197] X-Dreamscape-Track-B: Mon, 29 May 2000 00:07:35 -0400 (EDT) Received: (from krentel@localhost) by dreamscape.com (8.9.3/8.9.3) id AAA20103; Mon, 29 May 2000 00:07:29 -0400 (EDT) (envelope-from krentel) Date: Mon, 29 May 2000 00:07:29 -0400 (EDT) From: "Mark W. Krentel" Message-Id: <200005290407.AAA20103@dreamscape.com> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: rc.firewall rule 200 Cc: archie@whistle.com Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Last week, I asked about some of the rc.firewall rules. I've looked at them in more detail and I have a few more comments. I apologize in advance if I'm being dense about this. (1) My conclusion is that rule 200 doesn't really add anything for security. ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 Now, I realize that anything matching rule 200 cannot possibly be legitimate, and that's reason enough to deny it. But the claim was that someone on the same network could circumvent the firewall by using the machine's 127.0.0.1 address, as in the following attack. ifconfig lo0 down delete route add 127.0.0.0 telnet 127.0.0.1 I don't see where this attack accomplishes anything. An outside packet destined for 127.0.0.1 must first enter on an interface other than loopback. At that point it's confronted with the same rules whether it's destined for 127.0.0.1 or the machine's legit address. The point is that a hacker can just as easily use the machine's legit address and face the same set of rules. (2) The UDP rules (client and simple types) seem a little loose to me. ${fwcmd} add pass udp from any 53 to ${ip} ${fwcmd} add pass udp from ${ip} to any 53 ${fwcmd} add pass udp from any 123 to ${ip} ${fwcmd} add pass udp from ${ip} to any 123 These rules allow access by anyone to all UDP ports (NFS, syslog, etc) if the attack is made from port 53 or 123. I would suggest adding source address to the rules. Assuming you don't want to add another parameter for DNS server address (like net, mask and ip), you could put a note in a comment. # Allow DNS queries out in the world # Can strengthen these rules by replacing "any" with the # IP address of your DNS server. ${fwcmd} add pass udp from any 53 to ${ip} ${fwcmd} add pass udp from ${ip} to any 53 (3) And I'll make one more pitch for blocking spoofs of localhost with the following rule. ${fwcmd} add 400 deny all from 127.0.0.0/8 to any The firewall type "simple" blocks spoofing of the inside network addresses (as it certainly should). I just don't see where spoofing localhost is any less dangerous. Just my $0.02. --Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message