Re: [fw-wiz] Securing a Linux Firewall

From: Kyle R. Hofmann (
Date: 07/24/02

To: Carson Gaspar <>
From: "Kyle R. Hofmann" <>
Date: Wed Jul 24 18:47:01 2002

On Wed, 24 Jul 2002 00:13:52 -0400, Carson Gaspar wrote:
> On Tuesday, July 23, 2002 4:01 PM -0600 John McDermott <> wrote:
> > This, I believe, presumes that you are *100% sure* that the given binary
> > can grant no additional privs. I am seldom that sure about software.
> If it is not setuid, and not setgid, it _can't_ grant you extra privs
> (ignoring funky capability ACLs and the like).

This is not true. You assume that the attacker has already achieved shell
access or something equivalent. This is not necessarily true.

Suppose that your firewall has the option to run an outside program on a fixed
event (e.g., it could run a program to page you if you get portscanned).
Forget, for a moment, the fact that you personally may not want this feature
(or misfeature), and assume that you must live with it.

In the best case, there will be no problems--the firewall and the outside
program will both be bugfree. There is also the possibility, however, that
the firewall will not be bugfree, and the attacker will be able to execute
an arbitrary program of his choosing. He may choose to execute /bin/sh, for
example. He cannot execute it, however, if it's not there. So maybe instead
he'll try to execute /bin/bash or /bin/ksh or /bin/csh or something like that.
But if they're not there, either, he has to execute commands one at a time,
and if the firewall crashes because he's, say, smashed the stack, then he
only gets one command per restart of the firewall.

Now, if you have enough programs on the firewall and he has enough chances,
he may still be able to find a way in. He may try to get the output of "ls
-laR /" and then search through it for shells or other useful programs that
he can run when the firewall is rebooted. But if they aren't there, he can't
use them. He may still be able to disable your firewall and get broader
access, but he won't be able to use the firewall as a DDoS zombie or an IRC

I admit that these circumstances won't always apply, and that in the usual
case, having additional binaries on the system won't help or hurt your
security. But you should already be protected from the usual case; it's the
unusual cases that you need extra layer of paranoia for.

Kyle R. Hofmann <>