Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] SuSE firewall2 configuration for zone transfer
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Thu, 24 Jul 2003 00:05:16 +0200
  • Message-id: <20030724000516.H4344@xxxxxxxxx>
* M. Edwin wrote on Wed, Jul 23, 2003 at 15:10 +0800:
> It means I also have to open highport TCP and TCP 53, right?

What do you mean with "highport"? ext:53 -> dmz:>1024?

bind knows query-source or something. Set it to 53 and allow
TCP+UDP port 53<->53 only.

If you allow ext:53-->dmz:userport (or somethink), you have
unprotected all high ports. Sometimes proxies use high ports as
8080 or 3128, and many services (including database servers, X,
sometimes even NFS or other portmapped services) are known to do
the same. So you should'n allow (any) TCP packets to arrive here.
At least drop SYN, no ACK to prevent incomming TCP connections or
use RELATED functionality of iptables.

For UDP it is slightly more complicated. An attacker can set up a
NS RR to its attacking host, insert some URL by eMail or such
(IMG SRC="http://attacker/a.gif";). Your local DNS Server may sent
a UDP packet to the attacker-server, which responds with UDP from
port 53.

Some stateful firewalls implement this by allowing "response"
packets from some time window (60 seconds or what?). So an
attacker would start an UDP attack after her DNS has been
queried with the source port 53 (which can be implemented by some
NAT or a DNS-server-and-attack-tool) ... If you allow 53<->53
only, she can attack your DNS ports only. Of course it also helps
(e.g., in an DMZ) to have dedicated DNS servers (so you can
attack the DNS service only at this IP in any case).

> My current firewall setting for TCP high port is
>
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"

If this allows active FTP, then you have the same problem here.
An attacker just needs to start the attack from source port 20,
which is quite common and together with sourceport 53 a common
default in scan and attack tools. So I recommend not to do such
configurations. An open firewall won't be a good one I think :-)

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >