Firewall rules

Richard Underwood richard@lbi-aspect.com
Mon Sep 13 09:49:25 UTC 2004


Hi,

	I thought I should make a comment regarding the documentation about
firewall rules on the website at
http://www.rhyolite.com/anti-spam/dcc/firewall.html - I hope this hasn't
been covered to death before! I realise it says "use at your own risk", but
it should perhaps be clarified.

| Most DCC installations are of clients. Some installations also
| include DCC servers. It is usually desirable to have a DCC client
| with a local server fallback on the external, public DCC servers.
| This will allow query responses from external servers to reach
| the internal client at 192.168.7.2:
| 
|   access-list 101 permit udp any eq 6277 host 192.168.7.2 gt 1023

	This allows any UDP traffic originating from port 6277 to any port
greater than 1023. This could be used for udp port scanning (e.g. with nmap)
or even bypassing the rules - some protocols use well known UDP ports above
1023. e.g. nfs typically uses 2049.

	I'm no expert on Cisco IOS rules, and stateful filtering may not be
possible with straight IOS; but for PIX firewalls, the rule is implicit.

| Access-list 101 should already have an 'allow established' line that
| will allow return tcp packets resulting from the local dccd flooding
| to a remote dccd. If does not, add this for the DCC server at
| 192.168.7.2:
| 
|   access-list 101 permit tcp any eq 6277 host 192.168.7.2 gt 1023

	Likewise, this allows TCP connections to any port greater than 1023
from 6277. As an example, my server also has mysql installed. If I used the
rule as described, an attacker could bind their client to port 6277 and
connect to port 3306 on my server, connecting to the mysql server which was
otherwise firewalled.

	While best practice would mean that these connections are also
restricted at the service, I don't believe it's appropriate to offer
security advice that isn't secure, despite warnings; I'd suggest stressing
the use of "established" rules or stateful firewalls and explicitly warning
that allowing incoming connections based upon the source port is inherently
insecure.

	Thanks,

		Richard



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.