Date: Tue, 30 May 2000 09:48:59 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: krentel@dreamscape.com (Mark W. Krentel) Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: rc.firewall rule 200 Message-ID: <200005301648.JAA32109@bubba.whistle.com> In-Reply-To: <200005290407.AAA20103@dreamscape.com> from "Mark W. Krentel" at "May 29, 2000 00:07:29 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Mark W. Krentel writes:
> Last week, I asked about some of the rc.firewall rules. I've looked
> at them in more detail and I have a few more comments. I apologize in
> advance if I'm being dense about this.
>
> (1) My conclusion is that rule 200 doesn't really add anything for
> security.
>
> ${fwcmd} add 100 pass all from any to any via lo0
> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
>
> Now, I realize that anything matching rule 200 cannot possibly be
> legitimate, and that's reason enough to deny it. But the claim was
> that someone on the same network could circumvent the firewall by
> using the machine's 127.0.0.1 address, as in the following attack.
>
> ifconfig lo0 down delete
> route add 127.0.0.0 <your-machine-ip-address>
> telnet 127.0.0.1
>
> I don't see where this attack accomplishes anything. An outside
> packet destined for 127.0.0.1 must first enter on an interface other
> than loopback. At that point it's confronted with the same rules
> whether it's destined for 127.0.0.1 or the machine's legit address.
> The point is that a hacker can just as easily use the machine's legit
> address and face the same set of rules.
But.. sometimes sensitive services are running bound (only) to the address
127.0.0.1, and there are no firewall rules to protect them, because
normally none are needed. By doing the 'route add ..' trick an adversary
can negate this assumption. If you happen to be relying on it, you're
in trouble.
As an example, you have to look no farther than FreeBSD two years ago:
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall (revision 1.19)
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=6406
-Archie
___________________________________________________________________________
Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005301648.JAA32109>