Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 Oct 1999 10:33:05 -0400
From:      "Patrick Bihan-Faou" <patrick@mindstep.com>
To:        "matt" <matt@BabCom.ORG>, <freebsd-security@FreeBSD.ORG>
Subject:   Re: ipfw rule wrong in rc.firewall(?)
Message-ID:  <009001bf1b08$05ad6040$190aa8c0@local.mindstep.com>
References:  <19991020104749.B17206@relay.ucb.crimea.ua> <Pine.BSF.4.20.9910200503320.40234-100000@s01.arpa-canada.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

From: matt <matt@BabCom.ORG>

> On Wed, 20 Oct 1999, Ruslan Ermilov wrote:
> [...]
> : Yes, src/etc/rc.firewall is incomplete, it misses two rules for incoming
> : UDP queries.
>
> Well, I guess I was not *totally* wrong, which is a minor miricle.
>
> : # Allow access to our DNS
> : allow tcp from any to ${oip} 53 setup # zone transfers
> : allow udp from any to ${oip} 53 # incoming DNS queries (missing)
> : allow udp from ${oip} 53 to any # answers to these queries (missing)
> :
> : # Allow DNS queries out in the world
> : allow udp from ${oip} to any 53 # outgoing DNS queries
> : allow udp from any 53 to ${oip} # answers to these queries

Humm...

As somebody mentioned earlier the last rule (allow udp from any 53 to
${oip}) is fairly weak. I would really love to see something along the lines
of the TCP rules (allow tcp from any to any established) for UDP as well...

I know that it is not possible to do that just by looking at the UDP header,
however it would be possible to keep track of what connections have been
established and allow or deny based on that (remember that a UDP packet from
local ip/port 5555 to 1.2.3.4 port 53 has been sent 5 seconds ago, so let a
packet from 1.2.3.4 port 53 reach local ip port 5555, anything else is
bad...)

I guess it would add a couple of keywords in the lines of:

ipfw add allow udp from ${oip} to any 53 monitor 10
ipfw add allow udp from any to any established
ipfw add deny udp from any to any

where "monitor" indicates that we want to allow the return data flow, 10 is
a time-out value (packets must be no more that 10 seconds apart from one
another).


If I have some time (in my dreams) I will look at implementing that
scheme... In the meantime, I hope to get some comments on that idea...



Patrick.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?009001bf1b08$05ad6040$190aa8c0>