Date: Thu, 02 Dec 1999 11:02:51 -0500 (EST) From: John Baldwin <jhb@FreeBSD.org> To: Adam Laurie <adam@algroup.co.uk>, freebsd-security@FreeBSD.org Subject: rc.firewall revisited Message-ID: <199912021602.LAA37669@server.baldwin.cx> In-Reply-To: <38468E10.2E3B3338@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02-Dec-99 Adam Laurie wrote:
> My specific experience was that I found a hole in the default
> rc.firewall rules. This hole means that UDP is totally unprotected
> because of faulty rules for DNS and NTP. I posted a suggested fix to
> the security-officer, and got an immediate reply saying "I agree
> 100%". The security-officer is clearly also a list, because I then
> got another reply from someone else, telling me how to configure my
> DNS. This degenerated into a thread related to DNS server
> configuration and entirely missing the point regarding ipfw. I then
> suggested moving it to the wider forum of this list, and guess
> what...? The same thing happened! The thread diappeared in a cloud
> of irrelevant discussion about how to set up name servers. As I
> say, I'm currently unaware of the status of rc.firewall, but when I
> get around to checking it, if it hasn't been fixed, you'll be
> reading about yourselves on bugtraq again! If it has been fixed,
> then excellent, well done, etc. etc. :)
I checked the logs, and no change has been committed. Your proposal is
to replace:
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${ip}
$fwcmd add pass udp from ${ip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${ip}
$fwcmd add pass udp from ${ip} to any 123
with:
# Block low port incoming UDP (and NFS) but allow replies for DNS,
NTP
# and all other high ports. Allow outgoing UDP.
$fwcmd add pass udp from any to ${ip} 123
$fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
$fwcmd add pass udp from any to any
There were concerns about DNS replies to a local server. In -current
and -stable, BIND is 8.2.x, so queries to the outside do not originate
from 53 by default, and so replies do not come in to port 53. However,
if machines inside the firewall use a DNS server on the firewall then
you could have problems. Perhaps this instead then:
# Allow NTP to this machine
$fwcmd add pass udp from any to ${ip} 123
# Allow DNS requests to this machine
$fwcmd add pass udp from any to ${ip} 53
# Deny all other incoming requests on low ports and NFS
$fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
# Allow all outgoing UDP
$fwcmd add pass udp from any to any
--
John Baldwin <jhb@FreeBSD.org> -- http://www.FreeBSD.org/~jhb/
PGP Key: http://www.cslab.vt.edu/~jobaldwi/pgpkey.asc
"Power Users Use the Power to Serve!" - http://www.FreeBSD.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912021602.LAA37669>