From owner-freebsd-bugs Wed Jun 28 17: 0:10 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 55AD437C453 for ; Wed, 28 Jun 2000 17:00:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id RAA34646; Wed, 28 Jun 2000 17:00:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 5059D37C2F1; Wed, 28 Jun 2000 16:55:38 -0700 (PDT) Message-Id: <20000628235538.5059D37C2F1@hub.freebsd.org> Date: Wed, 28 Jun 2000 16:55:38 -0700 (PDT) From: kevin@telco21.com To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: conf/19569: stock IPFW rules have subtle udp hole Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 19569 >Category: conf >Synopsis: stock IPFW rules have subtle udp hole >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jun 28 17:00:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Kevin Glavin >Release: 3.X, 4.X - probably 2.x also >Organization: >Environment: FreeBSD pod 4.0-RELEASE FreeBSD 4.0-RELEASE #0: Sat Jun 24 16:55:34 GMT 2000 root@pod:/u2/usr/src/sys/compile/pod i386 >Description: ipfw stock rules have loosely defined rules for udp port 53 and the ntp port (123 I think). the rules are defined in such a fashion that once a packet is coming from (internet anywhere) port 53 to any port (on for example your outside interface) 'you' assume its a DNS lookup response or once a udp packet is going out to port 53 from any port on your outside interface 'you' assume its a dns query. This assumption, allows me to write a port scanner that binds as port 53 on the scanning machine and scan all udp ports on FreeBSD machines that use these rules to allow DNS/NTP but are assuming that they have blocked all other UDP access So if I am running another udp based service that I thought was protected by a ipfw rules on the outside interface it may actually be wide open once the attacking client bound to port 53 to initiate contact with the service. >How-To-Repeat: as part of stock install, compile kernel to use IPFW with the 'simple' rules enabled to nat an internal 192.168.X network of home PC's >Fix: Fix that works on certain configurations is to tightly specify the rules as # Allow DNS queries out in the world : note query port set to 53 in named .conf $fwcmd add pass udp from any 53 to ${oip} 53 $fwcmd add pass udp from ${oip} 53 to any 53 ## now internet based clients bound to port 53 can only connect to named ## instead of having free reign. #same thing for NTP # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} 123 $fwcmd add pass udp from ${oip} 123 to any 123 >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message