From owner-cvs-src@FreeBSD.ORG Thu Jul 17 20:20:32 2008 Return-Path: Delivered-To: cvs-src@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D0ED1065686; Thu, 17 Jul 2008 20:20:32 +0000 (UTC) (envelope-from das@FreeBSD.ORG) Received: from zim.MIT.EDU (ZIM.MIT.EDU [18.95.3.101]) by mx1.freebsd.org (Postfix) with ESMTP id D4D028FC1C; Thu, 17 Jul 2008 20:20:29 +0000 (UTC) (envelope-from das@FreeBSD.ORG) Received: from zim.MIT.EDU (localhost [127.0.0.1]) by zim.MIT.EDU (8.14.2/8.14.2) with ESMTP id m6HKKpQn027496; Thu, 17 Jul 2008 16:20:51 -0400 (EDT) (envelope-from das@FreeBSD.ORG) Received: (from das@localhost) by zim.MIT.EDU (8.14.2/8.14.2/Submit) id m6HKKpL5027495; Thu, 17 Jul 2008 16:20:51 -0400 (EDT) (envelope-from das@FreeBSD.ORG) Date: Thu, 17 Jul 2008 16:20:51 -0400 From: David Schultz To: Daniel Gerzo Message-ID: <20080717202051.GA27450@zim.MIT.EDU> Mail-Followup-To: Daniel Gerzo , src-committers@FreeBSD.ORG, cvs-src@FreeBSD.ORG, cvs-all@FreeBSD.ORG References: <200807172000.m6HK0iIh018197@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200807172000.m6HK0iIh018197@repoman.freebsd.org> Cc: cvs-src@FreeBSD.ORG, src-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/etc rc.firewall X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 20:20:32 -0000 On Thu, Jul 17, 2008, Daniel Gerzo wrote: > @@ -194,6 +194,7 @@ > ${fwcmd} add deny tcp from any to any setup > > # Allow DNS queries out in the world > + ${fwcmd} add pass tcp from me to any 53 setup keep-state > ${fwcmd} add pass udp from me to any 53 keep-state > > # Allow NTP queries out in the world > @@ -294,6 +295,7 @@ > ${fwcmd} add pass tcp from any to any setup > > # Allow DNS queries out in the world > + ${fwcmd} add pass tcp from ${oip} to any 53 setup keep-state > ${fwcmd} add pass udp from ${oip} to any 53 keep-state > > # Allow NTP queries out in the world Hmm, it doesn't look like this could possibly work, unless I'm missing something. Did you test it? In one case the rule you added comes after an 'add pass tcp from any to any setup', and in the other case it comes after an 'add deny tcp from any to any setup', so in both cases, the line you added should be ineffectual. Furthermore, I don't believe there's any reason to use keep-state with TCP. The rule to allow packets for already-established connections suffices.