Date: Fri, 16 Feb 2001 21:50:20 -0800 From: Nick Sayer <nsayer@quack.kfu.com> To: Gordon Tetlow <gordont@bluemtn.net> Cc: Trevin Chow <tmchow@sfu.ca>, FreeBSD Stable <freebsd-stable@FreeBSD.ORG> Subject: Re: Can't Telnet but can SSH? Message-ID: <3A8E111C.9060100@quack.kfu.com> References: <Pine.BSF.4.31.0101170041540.13539-100000@sdmail0.sd.bmarts.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Gordon Tetlow wrote:
>
> allow tcp from any to ${oip} 53 setup
> allow udp from any to ${oip} 53
> allow udp from ${oip} 53 to any
This is _exceedingly_ insecure. This allows anyone to bind any
instrument of destruction they wish to their machine on port 53 and
something more dangerous on your inside -- perhaps port 2049 (NFS)?
The proper solution to the problem is the stateful filtering in ipfw.
Something like this:
ipfw add check-state
ipfw add pass udp from any to any out xmit ${oif} keep-state
ipfw add pass ip from any to any out xmit ${oif}
ipfw add pass tcp from any to any established
At this point you can add a series of tcp setup passes for allowed
incoming connections. Such as:
ipfw add pass tcp from any to ${smtp_serv} 25 setup
ipfw add pass udp from any to ${dns_serv} 53 setup
ipfw add pass tcp from any to ${dns_serv} 53 setup
ipfw add pass tcp from any to ${www_serv} 80 setup
... and so on
That's not a complete firewall by any means. You'll want to add
anti-spoofing and other sanity checks.
This rule fragment also obviates the need for any named.conf games to
restrict the source port of DNS queries.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A8E111C.9060100>