From owner-freebsd-security Thu Dec 2 10:18:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.baldwin.cx (jobaldwi.campus.vt.edu [198.82.67.146]) by hub.freebsd.org (Postfix) with ESMTP id 0488114DCD for ; Thu, 2 Dec 1999 10:18:26 -0800 (PST) (envelope-from jhb@FreeBSD.org) Received: from john.baldwin.cx (john [10.0.0.2]) by server.baldwin.cx (8.9.3/8.9.3) with ESMTP id NAA54042; Thu, 2 Dec 1999 13:17:59 -0500 (EST) (envelope-from jhb@FreeBSD.org) Message-Id: <199912021817.NAA54042@server.baldwin.cx> X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199912021807.KAA73912@gndrsh.dnsmgr.net> Date: Thu, 02 Dec 1999 13:17:59 -0500 (EST) From: John Baldwin To: "Rodney W. Grimes" Subject: Re: rc.firewall revisited Cc: freebsd-security@FreeBSD.org, (Adam Laurie) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 02-Dec-99 Rodney W. Grimes wrote: > ... >> > >> > # Allow all outgoing UDP >> > $fwcmd add pass udp from any to any > > The comment for this does not match what the rule actually does, > this rule has not ``outgoing'' about it at all.... Grrr.. perhaps this would be better: $fwcmd add pass udp from ${ip} to any >> OK, well this more or less matches my own current iteration, so I have >> no problem with that... > > The above rule set reduces to nothing more than a deny to low ports > and NFS due to missing via/in/out clauses.. Do you prefer your earlier proposal that used a $dnsserver variable then? > -- > Rod Grimes - KD7CAX @ CN85sl - (RWG25) > rgrimes@gndrsh.dnsmgr.net -- John Baldwin -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.cslab.vt.edu/~jobaldwi/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message