LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page "Firewall UDP Packet Source Port 53 Ruleset Bypass"
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-14-2009, 01:25 PM   #1
fantasygoat
Member
 
Registered: Sep 2009
Posts: 119

Rep: Reputation: 17
"Firewall UDP Packet Source Port 53 Ruleset Bypass"

A client is running a security scan on his website and getting the following critical hit:

Quote:
Firewall UDP Packet Source Port 53 Ruleset Bypass

It is possible to bypass the rules of the remote firewall by sending UDP packets with a source port equal to 53.
An attacker may use this flaw to inject UDP packets to the remote hosts, in spite of the presence of a firewall.
Anyone know how to prevent this critical trigger but still allow DNS lookups on the server?
 
Old 12-14-2009, 01:44 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
It sounds like you've got a firewall rule which allows incoming UDP packets with source port 53. If so, maybe get rid of that rule and rely on the ESTABLISHED match?
 
Old 12-14-2009, 01:47 PM   #3
fantasygoat
Member
 
Registered: Sep 2009
Posts: 119

Original Poster
Rep: Reputation: 17
The problem is, when I block anything with a source port of 53, all DNS queries fail, even though I expressly open all traffic from local addresses.
 
Old 12-14-2009, 01:53 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by fantasygoat View Post
The problem is, when I block anything with a source port of 53, all DNS queries fail, even though I expressly open all traffic from local addresses.
Then you're not using the ESTABLISHED state.
Code:
iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT
If you execute that command, your DNS queries should work just fine without the need for any source port rules.
 
Old 12-14-2009, 01:56 PM   #5
fantasygoat
Member
 
Registered: Sep 2009
Posts: 119

Original Poster
Rep: Reputation: 17
The very first rule in the list is to allow established connections.
 
Old 12-14-2009, 01:57 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Okay, let's see the configuration of your INPUT and OUTPUT chains.
Code:
iptables -nvL INPUT
iptables -nvL OUTPUT
If this is a dedicated firewall (instead of host-based), post the FORWARD chain instead.
Last edited by win32sux; 12-14-2009 at 01:58 PM.
 
Old 12-14-2009, 01:59 PM   #7
fantasygoat
Member
 
Registered: Sep 2009
Posts: 119

Original Poster
Rep: Reputation: 17
Alas, this box is running ipfw, not iptables! It's quite old. I was hoping some general firewall knowledge would help.
 
Old 12-14-2009, 02:08 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by fantasygoat View Post
Alas, this box is running ipfw, not iptables! It's quite old. I was hoping some general firewall knowledge would help.
You mean ipfw as in the FreeBSD firewall?

If this is GNU/Linux, then anything before iptables will be stateless AFAIK.
 
Old 12-14-2009, 02:16 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
FWIW, a stateless workaround for the issue mentioned in the raised alert would be to add the DNS server's IP as a source address to your current source port rule, thereby making it much more specific.
Last edited by win32sux; 12-14-2009 at 02:19 PM.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I use "onMouse" events and bypass their effect? rblampain Programming 2 03-08-2008 04:50 AM
service called "doom" using udp port 666 djcham Linux - Networking 1 12-13-2006 01:38 PM
How to specify source port when sending UDP packet socialjazz Programming 4 09-19-2006 08:15 PM
Can you explain the difference between "Free Software (GNU)" and "Open Source"? vharishankar General 5 03-03-2005 09:40 AM
firewall.rc.config says :"open port 8080" but nmap says port is closed saavik Linux - Security 2 02-14-2002 12:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:22 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration