Date: Mon, 01 Nov 1999 15:37:22 +0000 From: Adam Laurie <adam@algroup.co.uk> To: sthaug@nethelp.no Cc: security@FreeBSD.ORG Subject: Re: hole(s) in default rc.firewall rules Message-ID: <381DB3B2.10002A43@algroup.co.uk> References: <381DAEE9.75C2EDA5@algroup.co.uk> <46576.941469757@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
sthaug@nethelp.no wrote:
>
> > By setting their source port to 53 or 123, an attacker can bypass your
> > firewall and connect to any UDP listener.
> >
> > I propose the following alternative:
> >
> > # Block low port incoming UDP (and NFS) but allow replies for DNS,
> > NTP
> > # and all other high ports. Allow outgoing UDP.
> > $fwcmd add pass udp from any to ${ip} 123
> > $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049
> > $fwcmd add pass udp from any to any
>
> If you block incoming UDP traffic with source port 53, you have very
> effectively blocked answers from all name servers outside your firewall.
> Is that what you want to do?
No, and it doesn't. I'm not blocking anything based on source port. I'm
blocking UDP traffic to any low port. DNS replies come in on high ports
(at least this is true on the half dozen or so boxes that I've
implemented this on, whether they are NAT/firewall boxes, or stand alone
PCs). NTP, on the other hand, comes in on 123, which is why I've
specifically allowed it.
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?381DB3B2.10002A43>