Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Feb 2002 11:39:08 -0500 (EST)
From:      Robert Watson <rwatson@freebsd.org>
To:        Alexey Dokuchaev <danfe@cytherea.weblab.nsu.ru>
Cc:        arch@freebsd.org, ipfw@freebsd.org
Subject:   Re: Improvements to ipfw code (followup)
Message-ID:  <Pine.NEB.3.96L.1020219113829.388G-100000@fledge.watson.org>
In-Reply-To: <20020219165630.A62749@cytherea.weblab.nsu.ru>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Many of these look interesting.  However, it's worth noting that most of
them are broken with SSH port forwarding, due to sshd binding ports as
root, as opposed to as the authenticated credential.  This has presented a
problem for us for the MAC code also, and requires substantial re-working
of the sshd code.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services

On Tue, 19 Feb 2002, Alexey Dokuchaev wrote:

> Hello,
> 
> Back in 1997, an email was sent to hackers@ about some substantial firewall code improvements,
> along with a patch, by Julian Assange <proff@{iq.org,suburbia.net}>.  A PR (misc/2386) was then
> filled, but marked 'closed' shortly after submission due to 'Misfiled PR' reason.  It seems to
> never raise any interest afterwards, despite the fact that this work definitely worth considering.
> 
> I will forward original mail at the end for those who's interested.  My particular interest in
> this comes from a fact that uid/gid-based IPFW filtering only works for outgoing connections,
> which is a neat thing of course.  However, to be able to provide any service, I need to allow
> incoming connections as well, and this is where I got somewhat disappointed: I cannot control
> who's bind()'ing to whatever port (if outside setup connections are allowed), and if, say, for
> whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user process can issue bind()
> to the [freed] unprivileged port.  One might say this is not a big deal, since servers tend to
> restart themselves in case of any failure, however, for example, FTP passive mode requires setup
> connections allowed in certain port range, and I really want only ftp user to be able to bind()
> to those ports.  At present, there is no way in IPFW to open ports for specific user/group only,
> while Julian's patch seems to solve the problem.
> 
> Time to revise this stuff again? :-)
> 
> The URL Julian gives in his email is no longer valid, but his patches are in PR misc/2386, and
> also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff.
> 
> Sincerely,
> Alexey Dokuchaev
> 
> ------ Forwarded message ------
> Date:      Tue, 7 Jan 1997 07:01:16 +1100 (EST)
> From:      proff@suburbia.net
> To:        hackers@freebsd.org, security@freebsd.org
> Subject:   new firewall code [uid/gid/bind() etc]
> Message-ID:  <19970106200116.16168.qmail@suburbia.net>
> 
> I tried posting the patches but, at 55k, it seems majordumbo has
> (silently) rejected them. You may find them at:
> 
> 	ftp://suburbia.net/tmp/ipfw.diff
> 
> My "socket credentials" patches allow you to:
> 
> 	punch wormholes, or restrict access to the IPPORT_RESERVED space, or
> 	restrict access to bind() altogether based on:
> 
> 		(a) uid
> 		(b) gid (including secondary groups)
> 		(c) port
> 		(d) protocol
> 		(e) interface
> 
> And more importantly:
> 
> 	Restrict access to packets being sent/received on any socket based on:
> 
> 		(a) the packet (per normal ipfw rules)
> 		(b) uid
> 		(c) gid (including secondary groups)
> 
> The former permits constructs like:
> 
> /* let uid sendmail bind to port 25 */
> # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind
> 
> /* only let inetd bind - we presume inetd still needs to run as root
>    for uid switching when forking off clients */
> 
> # addgroup inetd
> # chgrp inetd /usr/sbin/inetd
> # chmod 2700 /usr/sbin/inetd
> # killall inetd
> # ipfw add accept all from any to any bind gid inetd uid root
> # /* default policy is to deny bind */
> 
> /* keep those without security clearance out of secret network */
> # ipfw add accept all from any to any via ed0 gid secret
> # ipfw add deny all from any to any via ed0 gid any
> 
> Loging has also been enhanced:
> 
> # ipfw add 60000 accept log all from any to any bind
> /* example of named starting up */
> 
> ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind
> ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind
> 
> Cheers,
> Julian <proff@iq.org>
> 
> ------ End of forwarded message ------
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-arch" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020219113829.388G-100000>