[rsbac] restricting network access

Andreas Baetz lac01 at web.de
Thu Dec 18 08:32:39 CET 2003 

On Wednesday 17 December 2003 14:33, Amon Ott wrote:
>
> With TCP, the case would be clear: On accept at remote, a new port gets
>
> assigned for the connection to free port 53 for other connections.
>
> Since there is a CONNECT, it seems that the UDP socket gets pre-connected
> and thus also gets a new remote port. This means that you would have to
> allow SEND to (and RECEIVE from) high (>1023) UDP ports on the name server.
>
> You could also try in softmode to get the whole picture.
>
> Amon.

I used soft mode to get the connection and logged it with a sniffer.

It seems that there is a SEND to the DNS Server, Port 53 (according to the sniffer), 
which gets logged as SEND to the DNS Server, remote Port 13568 (according to RSBAC).

Then there is a reply by the DNS Server from Port 53  (according to the sniffer), 
which gets logged as RECEIVE from the DNS Server, remote Port 13568 (according to RSBAC).

Local Ports are the same in both logs.

The remote Port which is logged by RSBAC doesn't change over several tries, always 13568. 

I have a firewall in place which would prevent and log UDP's to high ports such as 13568. 
There is no firewall log, even in softmode, so I suppose the packets really go to remote Port 53.

I have attached the logs.

Andreas

-------------- next part --------------
Syslog:

Dec 18 07:38:04 <server> kernel: rsbac_adf_request(): request SEND,    pid 8509, ppid 8507, prog_name MozillaFirebird, uid xxx, target_type NETOBJ, tid d6ed86f4 INET DGRAM proto UDP local eth0:<server IP>:35141 remote <dns server>:13568, attr , value 0, result NOT_GRANTED by RC
Dec 18 07:38:04 <server> kernel: rsbac_adf_request(): request RECEIVE, pid 8509, ppid 8507, prog_name MozillaFirebird, uid xxx, target_type NETOBJ, tid d6ed86f4 INET DGRAM proto UDP local eth0:<server IP>:35141 remote <dns server>:13568, attr , value 0, result NOT_GRANTED by RC

Sniffer Log:

Frame 5 (77 on wire, 77 captured)
    Arrival Time: Dec 18, 2003 07:38:04.939321000
    Time delta from previous packet: 48.714251000 seconds
    Time relative to first packet: 48.722626000 seconds
    Frame Number: 5
    Packet Length: 77 bytes
    Capture Length: 77 bytes
Ethernet II
    Destination: <MAC>
    Source: <MAC>
    Type: IP (0x0800)
Internet Protocol, Src Addr: <server IP> (<server IP>), Dst Addr: <dns server> (<dns server>)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 63
    Identification: 0x604c
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0x0591 (correct)
    Source: <server IP> (<server IP>)
    Destination: <dns server> (<dns server>)
User Datagram Protocol, Src Port: 35141 (35141), Dst Port: 53 (53)
    Source port: 35141 (35141)
    Destination port: 53 (53)
    Length: 43
    Checksum: 0x1973 (correct)
Domain Name System (query)
	<snip>

Frame 6 (140 on wire, 140 captured)
    Arrival Time: Dec 18, 2003 07:38:04.941096000
    Time delta from previous packet: 0.001775000 seconds
    Time relative to first packet: 48.724401000 seconds
    Frame Number: 6
    Packet Length: 140 bytes
    Capture Length: 140 bytes
Ethernet II
    Destination: <MAC>
    Source: >MAC>
    Type: IP (0x0800)
Internet Protocol, Src Addr: <dns server> (<dns server>), Dst Addr: <server IP> (<server IP>)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 126
    Identification: 0xb469
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: UDP (0x11)
    Header checksum: 0xb234 (correct)
    Source: <dns server> (<dns server>)
    Destination: <server IP> (<server IP>)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 35141 (35141)
    Source port: 53 (53)
    Destination port: 35141 (35141)
    Length: 106
    Checksum: 0x102f (correct)
Domain Name System (response)
	<snip>

More information about the rsbac mailing list