Is this a safe ipfilter rule?
Luke
luked at pobox.com
Mon Jul 12 23:15:48 PDT 2004
I'm using some rules like the following to allow unrestricted udp traffic
across my firewall between my system and a set of specific ports on
specific domain name servers. This is the scariest of these rules:
pass in quick proto udp from ip.of.remote.DNS/32 port = 53 to any
Is this safe?
According to everything I've read, it's best to have a stateful firewall.
The examples I've seen do something like:
pass out quick proto udp from my.internal.address.range to any keep state
DNS queries match this rule and add an entry to the state table so that
the local machine can get the reply back from the DNS without requiring
any "pass in" rules.
However, I have a problem with that. I believe (and I'm gathering proof
right now) that I'm running some heavy-duty filesharing applications that
are causing ipfilter's state table to fill up. When this happens, I
believe DNS queries choke if stateful rules are used. "named" goes into a
frenzy of logging "sysquery: no addrs found for root NS
(H.ROOT-SERVERS.NET)" and proceeds to run the alphabet on the
ROOT-SERVERS-NET failing on all of them several times per second,
presumably because the state table is full. /var/log/messages quickly
grows to huge sizes, and a denial-of-service situation occurs.
I may be wrong about some of this. It's a theory I'm trying to prove to
explain why named goes crazy when my system is under the stress of heavy
filesharing.
So, to keep named happy and prove my theory one way or the other, I'd like
to pass all DNS traffic through the firewall without making entries in the
state table. I'm trying to accomplish this by setting up rules that are
as specific as I can be about exactly which IP addresses and ports I want
to allow free udp communication with, but is this safe? How difficult
would it be for someone to forge packets that could get past this rule,
and if they did, what damage could they do with udp?
More information about the freebsd-questions
mailing list