Date: Thu, 17 Jul 2008 16:20:51 -0400 From: David Schultz <das@FreeBSD.ORG> To: Daniel Gerzo <danger@FreeBSD.ORG> Cc: cvs-src@FreeBSD.ORG, src-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/etc rc.firewall Message-ID: <20080717202051.GA27450@zim.MIT.EDU> In-Reply-To: <200807172000.m6HK0iIh018197@repoman.freebsd.org> References: <200807172000.m6HK0iIh018197@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 17, 2008, Daniel Gerzo wrote:
> @@ -194,6 +194,7 @@
> ${fwcmd} add deny tcp from any to any setup
>
> # Allow DNS queries out in the world
> + ${fwcmd} add pass tcp from me to any 53 setup keep-state
> ${fwcmd} add pass udp from me to any 53 keep-state
>
> # Allow NTP queries out in the world
> @@ -294,6 +295,7 @@
> ${fwcmd} add pass tcp from any to any setup
>
> # Allow DNS queries out in the world
> + ${fwcmd} add pass tcp from ${oip} to any 53 setup keep-state
> ${fwcmd} add pass udp from ${oip} to any 53 keep-state
>
> # Allow NTP queries out in the world
Hmm, it doesn't look like this could possibly work, unless I'm
missing something. Did you test it?
In one case the rule you added comes after an 'add pass tcp from
any to any setup', and in the other case it comes after an 'add
deny tcp from any to any setup', so in both cases, the line you
added should be ineffectual.
Furthermore, I don't believe there's any reason to use keep-state
with TCP. The rule to allow packets for already-established
connections suffices.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080717202051.GA27450>