questions/comments send us feedback
  Welcome !
Linux Resources  OpenBSD Resources  Security Resources  General Information 
Aug. 17, 2018  

main | general :: mailbag :: 20

From: Patrik C. Date: 24/5/00

Hi Wes,

I have a couple of questions (or remarks) on your book "Building Linux and OpenBSD firewalls". First of all i would like to say that it is a good book and i liked ´reading it very much. Now to my questions:

- I do not remember exactly where in the book but you mentioned that using keep-state (ipf) with state-less protocol opened up security problems but you did not explain them, so what kind of security problems?

- Probably due to the first question your examples (both the book and the web) has a rule to allow dns-servers to reply as long as the source port is 53. You also pointed out the security implications of this,l but the in FAQ darren says this---

For UDP, it will automatically allow packets in which are the "reverse" of packets that have already been allowed through, without needing to allow too many packets through. For example, the following could be used for DNS clients: 

block out proto udp all
block in proto udp all
pass out proto udp from any port > 1024 to any port = 53
pass in proto udp from any port = 53 to any port > 1024

which allows through a LOT of unwanted packets. This can be effectively replaced with the following: 
block out proto udp all
block in proto udp all
pass in proto udp from any to any port = 53 keep state

---And with my present knowledge i agree with darrens statement. So i like to know which is the best configuration security wise?
( It could have to do with the answer to question number one, in this case enlight me :)

Notify me whenever the general section of this site is updated

Email this page to a friend or colleague

Show a printer-friendly version of this page