Date: Mon, 08 May 2000 10:37:21 +0100 From: Adam Laurie <adam@algroup.co.uk> To: Mark Murray <mark@grondar.za> Cc: Marc Silver <marcs@draenor.org>, freebsd-security@FreeBSD.ORG Subject: Re: Firewall Rules Message-ID: <39168AD1.FD8BAC38@algroup.co.uk> References: <20000505080928.Q80532@draenor.org> <200005071311.PAA18519@grimreaper.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote: > > $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 > > $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 > > $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 > > $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 > > You want to allow DNS, and this will do it, but it will allow an > attacker to attack you by setting his source (ephemeral) port > to 53. Just be aware of this; there is probably not much you can > do with ipfw - you need a firewall that can hold UDP state. this works with ipfw: # block low port incoming UDP but allow outgoing and replies for DNS, NTP # (and anything else that needs it). $fwcmd add pass udp from any to any 53,123 $fwcmd add deny udp from any to any 0-1023,1110,2049 $fwcmd add pass udp from any to any 1110 & 2049 are blocked to protect NFS - you will need to block any other high ports that you have real services running on. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39168AD1.FD8BAC38>