From owner-freebsd-questions  Wed Mar 20  9: 6:18 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from icarus.slightlystrange.org (icarus.slightlystrange.org [62.190.193.173])
	by hub.freebsd.org (Postfix) with ESMTP id 2FEB737B417
	for <freebsd-questions@freebsd.org>; Wed, 20 Mar 2002 09:06:13 -0800 (PST)
Received: from danielby by icarus.slightlystrange.org with local (Exim 3.12 #1 (Debian))
	id 16njXK-0007Uf-00
	for <freebsd-questions@FreeBSD.ORG>; Wed, 20 Mar 2002 17:06:06 +0000
Date: Wed, 20 Mar 2002 17:06:06 +0000
From: Daniel Bye <dan@slightlystrange.org>
To: freebsd-questions@FreeBSD.ORG
Subject: Re: ipfw rules: dangerous rules?
Message-ID: <20020320170606.GD27566@icarus.slightlystrange.org>
Reply-To: dan@slightlystrange.org
Mail-Followup-To: freebsd-questions@FreeBSD.ORG
References: <3C992774.D763B085@froekjaer.org> <Pine.GSO.4.33.0203201646400.12073-100000@bark> <20020320160349.GB27566@icarus.slightlystrange.org> <200203201749.08396@silver.dt1.binity.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200203201749.08396@silver.dt1.binity.net>
User-Agent: Mutt/1.3.27i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Wed, Mar 20, 2002 at 05:52:11PM +0100, Walter Hop wrote:
> [in reply to Daniel Bye, Wednesday 20 March 2002 17:03]
> 
> [Proposed ruleset to allow DNS]
> > > ipfw add allow udp from any to DNS-IP 53 out via INTERFACE
> > > ipfw add allow udp from DNS-IP 53 to any in via INTERFACE
> 
> Wouldn't this ruleset allow evil people to send udp packets from their 
> port 53 to an arbitrary UDP port on this box, and possibly reach local 
> services such as rpc, nfs and smb by this rule? Or am I being paranoid? :)


Agreed in principle.  However, I think Paul intended for his rules to be 
altered to include the IP addresses of trusted name servers, and not to be
left as "allow udp from any 53 to any in via tun0".  I am sure there are 
plenty of people out there far cleverer than me who know of ways to make it
even tighter, and I would like to hear any suggestions (I currently use a 
setup very much like this).

And a little bit of paranoia is, IMO, a Good Thing!

> 
> walter
> 
> -- 
>  Walter Hop <walter@binity.com> | +31 6 24290808 | PGP keyid 0x84813998
>  
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message


Cheers,

Dan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message