From owner-freebsd-ipfw  Tue Feb 19  2:56:19 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mail.nsu.ru (mx.nsu.ru [193.124.215.71])
	by hub.freebsd.org (Postfix) with ESMTP
	id AA9AA37B404; Tue, 19 Feb 2002 02:56:08 -0800 (PST)
Received: from regency.nsu.ru ([193.124.210.26] helo=cytherea.weblab.nsu.ru)
	by mail.nsu.ru with esmtp (Exim 3.20 #1)
	id 16d7wJ-0006Hi-00; Tue, 19 Feb 2002 16:56:03 +0600
Received: (from danfe@localhost)
	by cytherea.weblab.nsu.ru (8.11.6/8.11.6) id g1JAuU965842;
	Tue, 19 Feb 2002 16:56:30 +0600 (NOVT)
	(envelope-from danfe)
Date: Tue, 19 Feb 2002 16:56:30 +0600
From: Alexey Dokuchaev <danfe@cytherea.weblab.nsu.ru>
To: arch@freebsd.org
Cc: ipfw@freebsd.org
Subject: Improvements to ipfw code (followup)
Message-ID: <20020219165630.A62749@cytherea.weblab.nsu.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

Hello,

Back in 1997, an email was sent to hackers@ about some substantial firewall code improvements,
along with a patch, by Julian Assange <proff@{iq.org,suburbia.net}>.  A PR (misc/2386) was then
filled, but marked 'closed' shortly after submission due to 'Misfiled PR' reason.  It seems to
never raise any interest afterwards, despite the fact that this work definitely worth considering.

I will forward original mail at the end for those who's interested.  My particular interest in
this comes from a fact that uid/gid-based IPFW filtering only works for outgoing connections,
which is a neat thing of course.  However, to be able to provide any service, I need to allow
incoming connections as well, and this is where I got somewhat disappointed: I cannot control
who's bind()'ing to whatever port (if outside setup connections are allowed), and if, say, for
whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user process can issue bind()
to the [freed] unprivileged port.  One might say this is not a big deal, since servers tend to
restart themselves in case of any failure, however, for example, FTP passive mode requires setup
connections allowed in certain port range, and I really want only ftp user to be able to bind()
to those ports.  At present, there is no way in IPFW to open ports for specific user/group only,
while Julian's patch seems to solve the problem.

Time to revise this stuff again? :-)

The URL Julian gives in his email is no longer valid, but his patches are in PR misc/2386, and
also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff.

Sincerely,
Alexey Dokuchaev

------ Forwarded message ------
Date:      Tue, 7 Jan 1997 07:01:16 +1100 (EST)
From:      proff@suburbia.net
To:        hackers@freebsd.org, security@freebsd.org
Subject:   new firewall code [uid/gid/bind() etc]
Message-ID:  <19970106200116.16168.qmail@suburbia.net>

I tried posting the patches but, at 55k, it seems majordumbo has
(silently) rejected them. You may find them at:

	ftp://suburbia.net/tmp/ipfw.diff

My "socket credentials" patches allow you to:

	punch wormholes, or restrict access to the IPPORT_RESERVED space, or
	restrict access to bind() altogether based on:

		(a) uid
		(b) gid (including secondary groups)
		(c) port
		(d) protocol
		(e) interface

And more importantly:

	Restrict access to packets being sent/received on any socket based on:

		(a) the packet (per normal ipfw rules)
		(b) uid
		(c) gid (including secondary groups)

The former permits constructs like:

/* let uid sendmail bind to port 25 */
# ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind

/* only let inetd bind - we presume inetd still needs to run as root
   for uid switching when forking off clients */

# addgroup inetd
# chgrp inetd /usr/sbin/inetd
# chmod 2700 /usr/sbin/inetd
# killall inetd
# ipfw add accept all from any to any bind gid inetd uid root
# /* default policy is to deny bind */

/* keep those without security clearance out of secret network */
# ipfw add accept all from any to any via ed0 gid secret
# ipfw add deny all from any to any via ed0 gid any

Loging has also been enhanced:

# ipfw add 60000 accept log all from any to any bind
/* example of named starting up */

ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind
ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind
ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind
ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind
ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind

Cheers,
Julian <proff@iq.org>

------ End of forwarded message ------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message