Date: Fri, 03 Dec 1999 16:48:59 +0000 From: Adam Laurie <adam@algroup.co.uk> To: Nate Williams <nate@mt.sri.com> Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall revisited Message-ID: <3847F47B.834A27AE@algroup.co.uk> References: <199912021954.LAA74271@gndrsh.dnsmgr.net> <3846FA12.F1480F19@algroup.co.uk> <199912022343.QAA08462@mt.sri.com> <3847ACBE.3D66A556@algroup.co.uk> <199912031600.JAA10966@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nate Williams wrote:
>
> > > > > ipfw add X pass udp from any to ${dnsserver} 53
> > > > > ipfw add X+1 pass udp from ${dnsserver} 53 to any
> > > > > ipfw add X+2 deny log udp from any to any 53
> > > > > ipfw add X+3 dney log udp from any 53 to any
> > > >
> > > > This breaks one of the basic rules of firewalling... Trusting traffic
> > > > based on source address. To quote from the ipfw manual:
> > > >
> > > > Note that may be dangerous to filter on the source IP address or
> > > > source
> > > > TCP/UDP port because either or both could easily be spoofed.
> > > >
> > > > You've just let anyone that can spoof you DNS's source address onto any
> > > > UDP port.
> > >
> > > No he didn't, because you have spoofing rules in place *way* before
> > > these rules are in place. Now you're defending Rod who states that to
> > > have a good firewall, you need a lot more information about the internal
> > > network and services provided than can be produced generically.
> >
> > If only life were that simple. I assume the rule you're reffering to is:
> >
> > # Stop spoofing
> > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
> >
> > This simply stops traffic that's pretending to be your internal network
> > coming in from the outside, and vice versa. It does not help with other
> > networks being spoofed.
>
> True, but neither did the rules you (?) proposed previously. The rules
> Rod listed limited the packets to come/go *only* from the internal DNS
> server on the network, so in no way makes it any worse that what was
> proposed, and only makes it better. However, they require more
> knowledge of the external IP address of the box as well as the external
> interface, along with the internal IP addresses.
I disagree. My rule blocks traffic to UDP ports that are required to be
protected, regardless of where they come from. Rod's rules allow the
name server to connect to ANY UDP port. That is the problem.
>
> > The bottom line is that if you're going to provide out-of-box firewall
> > rules, then they should be set up to protect the out-of-box
> > configuration.
>
> I don't believe you can do a great job of that, but we can do a better
> job than what we're currently doing.
Agreed.
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3847F47B.834A27AE>