Re: [cobalt-users] RaQ4: How to prevent by-passing firewall rules by sending UDP:53

["Ian Gibbons" <cobalt-users1@xxxxxxxxxxxxx>]

On 23 Jan 2004 at 17:39, Al-Juhani wrote:

> Hello List.
> 
> I have a RaQ4 with IPchains installed but not tightly configured as I only
> have certain ports blocked plus some ISPs that have been source of scans ..
> 
> Today I performed a Security Audit from a third-party comapny and in thier
> report they have indicated the following vulnerability.
> 
> ----
> Vulnerability found on port general/udp:
> 
> It is possible to by-pass the rules of the remote firewall
> by sending UDP packets with a source port equal to 53.
> 
> An attacker may use this flaw to inject UDP packets to the remote
> hosts, in spite of the presence of a firewall.
> 
> Solution : Review your firewall rules policy
> Risk Factor : High
> ----
> 
> I am not sure as I tried before to apply some control on DNS running on the
> Server but caused many problems ..
> 
> Any idea,
> 
> Thanks
> 
> Al-Juhani
> aljuhani@xxxxxxxxx
Hi,

It sounds like your allowing incoming UDP port 53 packets FROM ANYWHERE to 
any other port.  

Change your firewall rules so that they are only allowed from the external DNS 
server(s) you use.

ipchains -A input -p udp -s <REMOTE DNS SERVER IP> 53 -j ACCEPT
ipchains -A input -p udp -s 0/0 53 -j DENY


If this is not an option, for example if you run your own dns, change the rules to 
allows UDP 53 packets only to UDP 53 on your server.

ipchains -A input -p udp -s 0/0 53 -d <YOUR IP> 53 -j ACCEPT
ipchains -A input -p udp -s 0/0 53 -j DENY

I constructed these ipchains rules from memory, so check the syntax before you 
use ;)

Regards

Ian

> 
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users