Just as a slight follow-up I should have included in my earlier e-mail: the merging of ucred and pcred should make this patch now be able to support real and saved uids/gids as well as effective uids/gids, meaning that it can be used to also restrict setuid applications such as ping.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project [EMAIL PROTECTED] NAI Labs, Safeport Network Services On Tue, 19 Feb 2002, Alexey Dokuchaev wrote: > Hello, > > Back in 1997, an email was sent to hackers@ about some substantial firewall > code improvements, > along with a patch, by Julian Assange <[EMAIL PROTECTED],suburbia.net}>. A > PR (misc/2386) was then > filled, but marked 'closed' shortly after submission due to 'Misfiled PR' > reason. It seems to > never raise any interest afterwards, despite the fact that this work > definitely worth considering. > > I will forward original mail at the end for those who's interested. My > particular interest in > this comes from a fact that uid/gid-based IPFW filtering only works for > outgoing connections, > which is a neat thing of course. However, to be able to provide any service, > I need to allow > incoming connections as well, and this is where I got somewhat disappointed: > I cannot control > who's bind()'ing to whatever port (if outside setup connections are allowed), > and if, say, for > whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user > process can issue bind() > to the [freed] unprivileged port. One might say this is not a big deal, > since servers tend to > restart themselves in case of any failure, however, for example, FTP passive > mode requires setup > connections allowed in certain port range, and I really want only ftp user to > be able to bind() > to those ports. At present, there is no way in IPFW to open ports for > specific user/group only, > while Julian's patch seems to solve the problem. > > Time to revise this stuff again? :-) > > The URL Julian gives in his email is no longer valid, but his patches are in > PR misc/2386, and > also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff. > > Sincerely, > Alexey Dokuchaev > > ------ Forwarded message ------ > Date: Tue, 7 Jan 1997 07:01:16 +1100 (EST) > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED], [EMAIL PROTECTED] > Subject: new firewall code [uid/gid/bind() etc] > Message-ID: <[EMAIL PROTECTED]> > > I tried posting the patches but, at 55k, it seems majordumbo has > (silently) rejected them. You may find them at: > > ftp://suburbia.net/tmp/ipfw.diff > > My "socket credentials" patches allow you to: > > punch wormholes, or restrict access to the IPPORT_RESERVED space, or > restrict access to bind() altogether based on: > > (a) uid > (b) gid (including secondary groups) > (c) port > (d) protocol > (e) interface > > And more importantly: > > Restrict access to packets being sent/received on any socket based on: > > (a) the packet (per normal ipfw rules) > (b) uid > (c) gid (including secondary groups) > > The former permits constructs like: > > /* let uid sendmail bind to port 25 */ > # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind > > /* only let inetd bind - we presume inetd still needs to run as root > for uid switching when forking off clients */ > > # addgroup inetd > # chgrp inetd /usr/sbin/inetd > # chmod 2700 /usr/sbin/inetd > # killall inetd > # ipfw add accept all from any to any bind gid inetd uid root > # /* default policy is to deny bind */ > > /* keep those without security clearance out of secret network */ > # ipfw add accept all from any to any via ed0 gid secret > # ipfw add deny all from any to any via ed0 gid any > > Loging has also been enhanced: > > # ipfw add 60000 accept log all from any to any bind > /* example of named starting up */ > > ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 > bind > ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid > 1280 bind > ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind > > Cheers, > Julian <[EMAIL PROTECTED]> > > ------ End of forwarded message ------ > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-arch" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-arch" in the body of the message _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
