On Tue, 20 Oct 1998, Nicholas J. Leon wrote:
> Ok, so recently Glynn made a comment about using the -b switch in ipfwadm
> (which also applies to ipchains). So, with an open mind I reviewed my
> firewall rules.
>
> And I noticed something :). Consider this example:
>
> ipchains -A input -j ACCEPT -i ppp+ -s 0/0 domain -p udp
>
> My philosophy behind this is since udp is connectionless, I can't use the
> '! -y' notation (SYN cleared, ACK |& FIN set) to allow replies back into
> my localnet, I have to allow for the following:
>
> local machine sends DNS request via udp from a random port to port 53 on
> an outside DNS server (no firewall rules apply, I have very few output
> chain rules).
> outside DNS server sends a reply back from port 53 to
> localhost:randomport (the above rule would allow this to happen)
>
> Now, the problem I see is that suddenly, ANY udp port locally is now
> accessable as long as it originates from port 53 on the outside. This is a
> massive security hole as far as I'm concerned.
>
> What can be done about this? Suggestions? Comments? ... Glynn? :)
>
> G'day!
>
> -- n i c h o l a s j l e o n
> / elegance through simplicity /
> / good fortune through truth / http://mrnick.binary9.net
> / not all questions have answers / mailto:[EMAIL PROTECTED]
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
>
Correct, it is a hole, but a malicious user is going to have to find out
that the DNS server that you have chosen is sending replies back to port
53, then one could take trust from the DNS server and send you false
packets. Of course finding out what port the DNS server is sending back to
shouldn't be hard...but if they're wanting to take that much time out to
find out, then I guess you could be screwed...There's something you can do
about this though, unfortunately, I can't remember...hence Glynn would
know...:)
Regards,
Woody Hughes, MCP
Security Administrator
Computer Technician
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
