Re: How to use ipfw to restrict a certain user?

From: Christian S.J. Peron (csjp_at_FreeBSD.ORG)
Date: 06/09/04 

Date: Wed, 09 Jun 2004 14:55:27 GMT

In article <1gf37oh.1epr9h3mnnziqN%i97_bedREMOVETHIS@i.kth.se>, david bonde wrote:
> Sorry for the probably quite trivial questions. Been looking at
> uncountable web pages without finding the final answer...
>
> Background:
>
> I have user, user1, that should be allowed to ssh to a machine, serverA,
> and open a TCP-tunnel to another machine serverB on port 99. This is the
> only network activity he must be allowed to do. No UDP, no ICMP, no RAW
> (?), no other TCP connections than the tunnel described above.
>
> I have come up with these rules:
>
> % ipfw list
> 00110 allow tcp from any to serverB 99 uid user1 setup
> 00210 allow tcp from any to any established
> 00310 deny ip from any to any uid user1
> 65535 allow ip from any to any
>
> However, there is at least one problem with these rules: ICMP is not
> blocked for this user - he can ping and traceroute. UDP is probably also
> not blocked (any suggestions for common CLI programs that uses UDP so I
> can test?).

There are a few main points here:
    o Currently UID/GID constraints only apply to TCP/UDP.
    o raw sockets can only be created as root. You will note
      that that traceroute and ping or both setuid for the
      purposes of raw socket creation.

      -r-sr-xr-x 1 root wheel 23320 May 7 20:15 /usr/sbin/traceroute
      -r-sr-xr-x 1 root wheel 21104 May 7 01:15 /sbin/ping

      So even if you could constrain raw sockets, the firewall rule
      restricting "user1" would not even work.

I might suggest looking into the following possible solutions:
    o Remove setuid bit from these utilities.
    o Restrict execution access to these utilities through permissions
    o If you are on a 5.x machine, implement POSIX1e ACLs through
      setfacl to implement more granular execution access controls. 

--
Christian S.J. Peron
csjp@FreeBSD.ORG
FreeBSD Committer

Relevant Pages

  • Re: Distributed ICMP/UDP scan or attack?
    ... Looks to me like a ping followed by a UDP connect. ... configured to ping first and use ten decoys. ... icmp at your firewall is a good way mitigate blind ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: G8 vs. G4C chess Match
    ... ICMP type 8, usually answered with a "pong" or ICMP echo reply, ICMP ... It's nothing to do with UDP. ... contain a destination port, UDP headers do. ... if you've no connection with the machine being scanned. ...
    (uk.radio.amateur)
  • Re: Problem while setting DF bit ON
    ... >> smaller than the packet size, ... may be in form of ICMP message. ... >> UDP ...
    (microsoft.public.win32.programmer.networks)
  • RE: Simple Scan
    ... Your analogy is good, except that ICMP is a layer 3 protocol, TCP & UDP ... ping!= information about a particular port. ...
    (Security-Basics)
  • RE: traceroute-like tool for UDP or TCP packet
    ... there is no UDP echo-request packet except against ... Linux traceroute sends UDP packets against high ports above 33000 and counts ... the ICMP Port-Unreachable. ... packet, ...
    (Security-Basics)