Date: Wed, 20 Mar 2002 17:06:06 +0000 From: Daniel Bye <dan@slightlystrange.org> To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules: dangerous rules? Message-ID: <20020320170606.GD27566@icarus.slightlystrange.org> In-Reply-To: <200203201749.08396@silver.dt1.binity.net> References: <3C992774.D763B085@froekjaer.org> <Pine.GSO.4.33.0203201646400.12073-100000@bark> <20020320160349.GB27566@icarus.slightlystrange.org> <200203201749.08396@silver.dt1.binity.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 20, 2002 at 05:52:11PM +0100, Walter Hop wrote: > [in reply to Daniel Bye, Wednesday 20 March 2002 17:03] > > [Proposed ruleset to allow DNS] > > > ipfw add allow udp from any to DNS-IP 53 out via INTERFACE > > > ipfw add allow udp from DNS-IP 53 to any in via INTERFACE > > Wouldn't this ruleset allow evil people to send udp packets from their > port 53 to an arbitrary UDP port on this box, and possibly reach local > services such as rpc, nfs and smb by this rule? Or am I being paranoid? :) Agreed in principle. However, I think Paul intended for his rules to be altered to include the IP addresses of trusted name servers, and not to be left as "allow udp from any 53 to any in via tun0". I am sure there are plenty of people out there far cleverer than me who know of ways to make it even tighter, and I would like to hear any suggestions (I currently use a setup very much like this). And a little bit of paranoia is, IMO, a Good Thing! > > walter > > -- > Walter Hop <walter@binity.com> | +31 6 24290808 | PGP keyid 0x84813998 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message Cheers, Dan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020320170606.GD27566>