On Thu, 10 Jul 2008, Tim Clewlow wrote:
Can you make a pf rule that NATs all outgoing udp queries from BIND
with
random source ports? That seems like it would have exactly the same
effect as BIND randomizing the source ports itself.
Assuming this is NOT a gateway, ie a single homed DNS.
This has not been tested, and may not work, but anyway, how about:
nic="network interface name"
bind_port="source port number you have set bind to ALWAYS use"
nat on $nic from any port $bind_port to any -> ($nic)
This _should_ do a special nat of both udp and tcp traffic, ie keep
the same source IP but randomly pick a new source port.
I haven't had time to set up a jail/test DNS to try this on, maybe
it wont work at all, but that should give you an idea.
Cheers, Tim.
Yes, using pf's NAT seems to work, although doxpara's checker claims that
it is not working.
Here's what tcpdump on the external side of NAT shows me after I nat port
53 traffic:
06:05:56.469558 IP SILBYIP.60153 > 209.85.139.9.53: 9078% [1au] A?
www.l.google.com. (45)
06:05:56.535407 IP 209.85.139.9.53 > SILBYIP.60153: 9078*- 3/0/0 A
64.233.167.99,[|domain]
06:06:03.767643 IP SILBYIP.59956 > 216.239.36.10.53: 21333% [1au] A?
news.google.com. (44)
06:06:03.817520 IP 216.239.36.10.53 > SILBYIP.59956: 21333*- 1/7/8 CNAME
news.l.google.com. (289)
06:06:03.818565 IP SILBYIP.55784 > 64.233.167.9.53: 61468% [1au] A?
news.l.google.com. (46)
06:06:03.840510 IP 64.233.167.9.53 > SILBYIP.55784: 61468*- 2/0/0 A
72.14.207.104, (67)
06:06:16.830837 IP SILBYIP.59956 > 216.239.36.10.53: 59557% [1au] A?
maps.google.com. (44)
06:06:16.880945 IP 216.239.36.10.53 > SILBYIP.59956: 59557*- 1/7/8 CNAME
maps.l.google.com. (289)
06:06:16.881988 IP SILBYIP.63680 > 209.85.137.9.53: 11160% [1au] A?
maps.l.google.com. (46)
06:06:17.025439 IP 209.85.137.9.53 > SILBYIP.63680: 11160*- 3/0/0 A
64.233.167.104,[|domain]
As you can see, we get a different source port for each server that we
connect to. I would assume that makes us secure.
But the checker at doxpara doesn't think we're secure because it's just
one server that we're connecting to repeatedly.
06:06:45.127850 IP SILBYIP.57575 > 209.200.168.66.53: 38156% [1au] A?
46e004a4f29d.toorrr.com. (52)
06:06:45.238227 IP 209.200.168.66.53 > SILBYIP.57575: 38156*- 1/0/0
CNAME[|domain]
06:06:45.239020 IP SILBYIP.57575 > 209.200.168.66.53: 11461% [1au][|domain]
06:06:45.351066 IP 209.200.168.66.53 > SILBYIP.57575: 11461*-[|domain]
06:06:45.351836 IP SILBYIP.57575 > 209.200.168.66.53: 57564% [1au][|domain]
06:06:45.466886 IP 209.200.168.66.53 > SILBYIP.57575: 57564*-[|domain]
06:06:45.467658 IP SILBYIP.57575 > 209.200.168.66.53: 31106% [1au][|domain]
06:06:45.580640 IP 209.200.168.66.53 > SILBYIP.57575: 31106*-[|domain]
06:06:45.581619 IP SILBYIP.57575 > 209.200.168.66.53: 4662% [1au][|domain]
06:06:45.692804 IP 209.200.168.66.53 > SILBYIP.57575: 4662*-[|domain]
So there we go, we saved the internet with NAT. :)
-Mike
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
