From owner-freebsd-questions Mon Jan 14 23:13:32 2002 Delivered-To: freebsd-questions@freebsd.org Received: from kabel203069.kabel.utwente.nl (kabel203069.kabel.utwente.nl [130.89.203.69]) by hub.freebsd.org (Postfix) with ESMTP id EBB1737B402 for ; Mon, 14 Jan 2002 23:13:24 -0800 (PST) Received: by kabel203069.kabel.utwente.nl (Postfix, from userid 1000) id B3B861F91; Tue, 15 Jan 2002 08:13:16 +0100 (CET) Date: Tue, 15 Jan 2002 08:13:16 +0100 From: Rogier Steehouder To: Chris Appleton Cc: freebsd-questions@freebsd.org Subject: Re: ipfw rules Message-ID: <20020115081316.A595@localhost> Mail-Followup-To: Rogier Steehouder , Chris Appleton , freebsd-questions@freebsd.org References: <20020112131010.B31058@b1n.org> <20020114163918.21575.qmail@web14802.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020114163918.21575.qmail@web14802.mail.yahoo.com>; from appleton_chris@yahoo.com on Mon, Jan 14, 2002 at 08:39:18AM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 14-01-2002 08:39 (-0800), Chris Appleton wrote: > --- BinarySoul wrote: > > Dont forget opening 20 (ftp-data) too or ftp wont work. > > > > Rogier Steehouder (r.j.s@gmx.net) wrote: > > > On 11-01-2002 12:05 (-0800), Chris Appleton wrote: > > > > allow tcp from any 21 to a.b.c.d > > > > > > This means allow connections from port 21 on any machine to any > > port on > > > a.b.c.d, so you completely opened up your system. > > > > > > What you're probably looking for is: > > > > > > allow tcp from any to a.b.c.d 21 > > > > > > Allow any machine to connect to only port 21 on a.b.c.d > > in case you can't see it, i'm repeatedly kicking myself in the ass. > hallelujah it's alive. > i did get a stern warning about this and maybe you know if i'm exposed: > (this is a 4.4-r bridge) > allow ip from any a.b.c.d/24 to any > allow tcp from any to any established > allow udp from any 53 to any > allow tcp from any to a.b.c.d/24 21 > > (apart from needing 20 for data) is the 'established' rule creating a > big hole considering the 21 request in is essentially an established > connection. is there something i can do to keep the benefit of not > having 2 rules for every port like established does? The established rule does not create a big hole. In fact because of it you can still surf the web for example. Imagine you making a web-request. Then you send out a setup-packet to some web server - allowed by rule 1. It responds and tries to send you data - allowed by rule 2 since the connection already exists. Without the established rule, answers would not come through. This behaviour is not a security risk since packets that claim to be from an existing connection, but are not, are dropped anyway. With kind regards, Rogier Steehouder -- ___ _ -O_\ // | / Rogier Steehouder //\ / \ r.j.s@gmx.net // \ <---------------------- 25m ----------------------> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message