Shorewall users - Jul 2008 - Changes necessary to support randomized ports for DNS vulnerability?

Hello Shorewall users,

I''m sure you all know about the big DNS vulnerability that was recently
announced, where the fix involves randomized source ports for DNS
requests (http://www.doxpara.com/).

In Shorewall, do any configuration changes need to be made in order to
enable this new behaviour?  The official document at
http://www.isc.org/sw/bind/bind-security.php mentions:

"DNS administrators who operate these servers behind port-restricted
firewalls are encouraged to review their firewall policies to allow this
protocol-compliant behavior. Restricting the possible use of various UDP
ports, for instance at the firewalls, in outgoing queries and the
corresponding replies will result in decreased security for the DNS
service."

This seems relevant since the "test your DNS" tool at Doxpara.com says
I''m still vulnerable, even though I''ve updated to the updated
9.5.0-P1
BIND version and restarted the process.

I''m using Shorewall 4.0.11.  My DNS-related entries in the Rules file
are:

DNS/ACCEPT      $FW             net
DNS/ACCEPT      loc             $FW



Many thanks,

Walter Wiegmann

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Theo Wiegmann wrote:
>
> 
> DNS/ACCEPT      $FW             net
> DNS/ACCEPT      loc             $FW
Those rules are not affected by the recent bind upgrade.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Tom Eastep wrote:
>> DNS/ACCEPT $FW net
>> DNS/ACCEPT loc $FW
>
>Those rules are not affected by the recent bind upgrade.
Thanks, Tom.  That let me approach the problem from a different
perspective.  I figured out what I was doing wrong: I needed to remove
an entry from the named.conf file:

query-source port 53;

Now, all queries are using randomized ports!

Walter Wiegmann

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

On Sat, Jul 26, 2008 at 09:24:23AM -0500, Theo Wiegmann
wrote:
> Tom Eastep wrote:
> >> DNS/ACCEPT $FW net
> >> DNS/ACCEPT loc $FW
> >
> >Those rules are not affected by the recent bind upgrade.
> 
> Thanks, Tom.  That let me approach the problem from a different
> perspective.  I figured out what I was doing wrong: I needed to remove
> an entry from the named.conf file:
> 
> query-source port 53;
> 
> Now, all queries are using randomized ports!
> 
Are you using Debian?  A while back that directive was the default in
Debian''s BIND configuration.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Theo Wiegmann wrote:
>  >> DNS/ACCEPT $FW net
>  >> DNS/ACCEPT loc $FW
>Thanks, Tom.  That let me approach the problem from a different
>perspective.  I figured out what I was doing wrong: I needed to remove
>an entry from the named.conf file:
>
>query-source port 53;
>
>Now, all queries are using randomized ports!
A lot depends on your default policies. If you have a default of 
allowing outgoing connections, then the first rule above is 
superfluous as it simply allows something that is already allowed.

However, if you have a default policy to block outgoing connections, 
then that rule is required. You should note that the rule matches the 
DESTINATION port=53 and so is unaffected by whether you use 53 or a 
random source port.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

<reply below>

--On July 26, 2008 9:24:23 AM -0500 Theo Wiegmann <twiegmann@uwf.edu>
wrote:
> Tom Eastep wrote:
>>> DNS/ACCEPT $FW net
>>> DNS/ACCEPT loc $FW
>>
>> Those rules are not affected by the recent bind upgrade.
>
> Thanks, Tom.  That let me approach the problem from a different
> perspective.  I figured out what I was doing wrong: I needed to remove
> an entry from the named.conf file:
>
> query-source port 53;
>
> Now, all queries are using randomized ports!
The linux firewall is not rule, but flow/state based.  When you accept an 
outgoing flow, the return packets are implicitly accepted.  Thus an ACCEPT 
on port 53 outbound, will implicitly match the reply packets coming back to 
the source port that was randomly selected.  The same thing happens with 
HTTP, SSH, etc (even though those are TCP and DNS is UDP, typically).
>
> Walter Wiegmann
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
> challenge Build the coolest Linux based applications with Moblin SDK &
> win great prizes Grand prize is a trip for two to an Open Source event
> anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/