Date: Wed, 20 Oct 1999 10:33:05 -0400 From: "Patrick Bihan-Faou" <patrick@mindstep.com> To: "matt" <matt@BabCom.ORG>, <freebsd-security@FreeBSD.ORG> Subject: Re: ipfw rule wrong in rc.firewall(?) Message-ID: <009001bf1b08$05ad6040$190aa8c0@local.mindstep.com> References: <19991020104749.B17206@relay.ucb.crimea.ua> <Pine.BSF.4.20.9910200503320.40234-100000@s01.arpa-canada.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, From: matt <matt@BabCom.ORG> > On Wed, 20 Oct 1999, Ruslan Ermilov wrote: > [...] > : Yes, src/etc/rc.firewall is incomplete, it misses two rules for incoming > : UDP queries. > > Well, I guess I was not *totally* wrong, which is a minor miricle. > > : # Allow access to our DNS > : allow tcp from any to ${oip} 53 setup # zone transfers > : allow udp from any to ${oip} 53 # incoming DNS queries (missing) > : allow udp from ${oip} 53 to any # answers to these queries (missing) > : > : # Allow DNS queries out in the world > : allow udp from ${oip} to any 53 # outgoing DNS queries > : allow udp from any 53 to ${oip} # answers to these queries Humm... As somebody mentioned earlier the last rule (allow udp from any 53 to ${oip}) is fairly weak. I would really love to see something along the lines of the TCP rules (allow tcp from any to any established) for UDP as well... I know that it is not possible to do that just by looking at the UDP header, however it would be possible to keep track of what connections have been established and allow or deny based on that (remember that a UDP packet from local ip/port 5555 to 1.2.3.4 port 53 has been sent 5 seconds ago, so let a packet from 1.2.3.4 port 53 reach local ip port 5555, anything else is bad...) I guess it would add a couple of keywords in the lines of: ipfw add allow udp from ${oip} to any 53 monitor 10 ipfw add allow udp from any to any established ipfw add deny udp from any to any where "monitor" indicates that we want to allow the return data flow, 10 is a time-out value (packets must be no more that 10 seconds apart from one another). If I have some time (in my dreams) I will look at implementing that scheme... In the meantime, I hope to get some comments on that idea... Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?009001bf1b08$05ad6040$190aa8c0>