From owner-freebsd-security  Wed Nov  3 13:30: 3 1999
Delivered-To: freebsd-security@freebsd.org
Received: from athserv.otenet.gr (athserv.otenet.gr [195.170.0.1])
	by hub.freebsd.org (Postfix) with ESMTP id 14297150DF
	for <freebsd-security@freebsd.org>; Wed,  3 Nov 1999 13:29:51 -0800 (PST)
	(envelope-from keramida@diogenis.ceid.upatras.gr)
Received: from hades.hell.gr (patr364-a118.otenet.gr [195.167.112.214])
	by athserv.otenet.gr (8.9.3/8.9.3) with SMTP id XAA08097
	for <freebsd-security@freebsd.org>; Wed, 3 Nov 1999 23:28:40 +0200 (EET)
Received: (qmail 1004 invoked by uid 1001); 3 Nov 1999 16:07:04 -0000
To: freebsd-security@freebsd.org
Subject: Re: hole(s) in default rc.firewall rules
References: <Pine.BSF.4.10.9911012224120.54551-100000@green.myip.org> <381F4AAD.1D8E6001@algroup.co.uk>
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
Date: 03 Nov 1999 18:07:04 +0200
In-Reply-To: Adam Laurie's message of "Tue, 02 Nov 1999 20:33:49 +0000"
Message-ID: <86g0yn8spj.fsf@localhost.hell.gr>
Lines: 37
X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "20 Minutes to Nikko"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Adam Laurie <adam@algroup.co.uk> writes:

> And for those that don't think this is a serious issue...
> 
> Get a copy of netcat. Make sure syslogd is running in default mode (i.e.
> without "-s" option) on the target "firewalled" server. Run the
> following command on a machine outside the firewall:
> 
>   nc -u -p 53 -n [firewalled-server-ip] 514
> 
> and type some text in. Now go and tail /var/log/messages on the target
> server, and you'll see the text that has just walked through your
> firewall. I leave it as an exercise for the reader to exploit an NFS
> mount in a similar fashion...

I don't know how well this would work in a larger environment, but I
have set up my private named to forward queries to a couple of "trusted" 
name servers outside the firewall.  Then I added rules that accept only
udp packets originating from these two hosts (port 53), and the usual
"deny all from any to any" catches the rest.

Someone might also have the IP addresses of root-dns servers be
accepted as well.

Oh, and another little bit.  I have only recently brought up a small
document that describes to the freebsd-newbies of my local area some
parts of ipfw usage.  I am a newbie in freebsd myself too, therefore I
would be interested in any comments regarding this page, especially
about things that are considered 'insecure' and are recommended there.

The page is located at:

  <http://students.ceid.upatras.gr/~keramida/freebsd/ipfw.html>

-- 
Giorgos Keramidas, <keramida@ceid.upatras.gr>
"What we have to learn to do, we learn by doing." [Aristotle]


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message