[1904] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Linux and IPFWADM

daemon@ATHENA.MIT.EDU (Bernhard Weisshuhn)
Fri Jun 19 03:38:31 1998

Date: Wed, 17 Jun 1998 09:45:42 +0200
From: Bernhard Weisshuhn <bkw@weisshuhn.de>
To: linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.96.980616003614.3348D-100000@seifried-gateway.seifried.org>; from seifried@seifried.org on Tue, Jun 16, 1998 at 12:41:53AM -0600
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

seifried@seifried.org (seifried@seifried.org) wrote:

> # Deny ALL ICMP from external.
> #
> ipfwadm -I -a deny -P icmp -S 0.0.0.0/0 -W eth0 -D 0.0.0.0/0
> ipfwadm -O -a deny -P icmp -S 0.0.0.0/0 -W eth0 -D 0.0.0.0/0

You don't want to disable all icmp. It disables MTU discovery. Quoting
the ipchains-howto 
( http://www.adelaide.net.au/~rustcorp/ipfwchains/HOWTO.html )

  A worse problem is the role of ICMP packets in MTU discovery.  All
  good TCP implementations (Linux included) use MTU discovery to try to
  figure out what the largest packet that can get to a destination
  without being fragmented (fragmentation slows performance, especially
  when occasional fragments are lost).  MTU discovery works by sending
  packets with the "Don't Fragment" bit set, and then sending smaller
  packets if it gets an ICMP packet indicating "Fragmentation needed but
  DF set" (`fragmentation-needed').  This is a type of `destination-
  unreachable' packet, and if it is never received, the local host will
  not reduce MTU, and performance will be abysmal or non-existant.


> # Allow ftp-data (20) connections incoming to internal clients (1024:65535)
> #
> ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 20 -D 0.0.0.0/0 1025:65535

You should only allow these connections, if you are absolutely positve
there are no other services running in the 1025:65535 range, that you
have not taken care of seperately. It is way too easy to make a
connection come from port 20, security measures should not rely on the
client behaving pc.
A better way IMHO is to force the clients to use PASV-ftp (every client
out there supports it) and let an internal squid forward ftp-requests
from www-browsers to an external parent, or use some other ftp-proxy.

> # Allow named (udp 53) connections incoming to clients (1024:65535)
> #
> ipfwadm -I -a accept -P udp -S 0.0.0.0/0 53 -D 0.0.0.0/0 1025:65535

AFAIK big chinks of dns data are transported via tcp (and not only zone
transfers). So you should also allow tcp. Then again, there is this
tunneling issue (published in phrack I think), but this can bite you
on any other other ports as well.

[mod: I thought only zone transfers were done using tcp. Anybody know
for sure? (Yes, nslookup also uses tcp if you use the "ls" command,
but it just pretends being another named doing a zone transfer) -- REW]

Rather than gathering material on ipfwadm, I think we should all turn
our heads towards ipchains, the excellent new firewalling implementation
by Paul Russel, that is already in the new 2.1 kernels. This is the way
to go, IMHO.

Check out http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html
and let's work on some basic setup we all can agree on. The Howto has
some examples already.

just my 2 Pfennig,
Bernhard

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post