From owner-freebsd-questions Wed Mar 20 8:52:26 2002 Delivered-To: freebsd-questions@freebsd.org Received: from glow.binity.net (glow.binity.net [213.84.201.224]) by hub.freebsd.org (Postfix) with ESMTP id 590E237B405 for ; Wed, 20 Mar 2002 08:52:23 -0800 (PST) Received: from vscan (glow.dt1.binity.net [172.23.18.1]) by glow.binity.net (Postfix) with ESMTP id F3B7755B5 for ; Wed, 20 Mar 2002 17:52:21 +0100 (CET) Received: from there (silver.dt1.binity.net [172.23.3.20]) by glow.binity.net (Postfix) with SMTP id 44BF354CF for ; Wed, 20 Mar 2002 17:52:20 +0100 (CET) Content-Type: text/plain; charset="iso-8859-1" From: Walter Hop Message-Id: <200203201749.08396@silver.dt1.binity.net> To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules: dangerous rules? Date: Wed, 20 Mar 2002 17:52:11 +0100 X-Mailer: KMail [version 1.3.2] References: <3C992774.D763B085@froekjaer.org> <20020320160349.GB27566@icarus.slightlystrange.org> In-Reply-To: <20020320160349.GB27566@icarus.slightlystrange.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by glow.binity.net (amavis-perl-11-sky2) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [in reply to Daniel Bye, Wednesday 20 March 2002 17:03] [Proposed ruleset to allow DNS] > > ipfw add allow udp from any to DNS-IP 53 out via INTERFACE > > ipfw add allow udp from DNS-IP 53 to any in via INTERFACE Wouldn't this ruleset allow evil people to send udp packets from their port 53 to an arbitrary UDP port on this box, and possibly reach local services such as rpc, nfs and smb by this rule? Or am I being paranoid? :) walter -- Walter Hop | +31 6 24290808 | PGP keyid 0x84813998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message