Date: Fri, 26 Sep 1997 08:32:49 +0200 (SAT) From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za> To: nate@mt.sri.com (Nate Williams) Cc: danny@panda.hilink.com.au, nate@mt.sri.com, security@FreeBSD.ORG Subject: Re: rc.firewall weakness? Message-ID: <199709260632.IAA14725@oskar.nanoteq.co.za> In-Reply-To: <199709260609.AAA21538@rocky.mt.sri.com> from Nate Williams at "Sep 26, 97 00:09:07 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Hi ... > > > > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. > > > > > > > > What about: > > > > > > > > ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in > > > > > > It doesn't work that way. ;( > > > > No? My cursory reading of ip_fw.c indicates that it does, but I'm happy > > to be shown otherwise, as I don't consider myself to be a C expert. > > Or are you referring to the fact that you need a more comprehensive > > ruleset to be effective? > > I had a discussion with Alex a while back, and if my memory isn't > failing me this didn't work. I don't know why either, and I haven't > looked at the sources. Perhaps it's been fixed to work, but I haven't > seen anything significant since the discussion. > Aren't we just having an communications gap here ??? ... I thought the 53<->53 just meant a rule like this .. accept udp from any 53 to any 53 Which is possible to configure ... I use it often for routing info to be exchanged ... e.g. accept udp from any 520 to 1.2.3.4 520 in recv ed0 and that works fine .... Reinier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709260632.IAA14725>