From owner-freebsd-security  Thu Sep 25 19:40:40 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id TAA01070
          for security-outgoing; Thu, 25 Sep 1997 19:40:40 -0700 (PDT)
Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA01064
          for <security@freebsd.org>; Thu, 25 Sep 1997 19:40:35 -0700 (PDT)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
          by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP
	  id TAA11023; Thu, 25 Sep 1997 19:39:52 -0700 (PDT)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id TAA14103;
	Thu, 25 Sep 1997 19:39:51 -0700 (PDT)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id TAA19427;
	Thu, 25 Sep 1997 19:39:50 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199709260239.TAA19427@salsa.gv.tsc.tdk.com>
Date: Thu, 25 Sep 1997 19:39:50 -0700
In-Reply-To: Nate Williams <nate@mt.sri.com>
       "Re: rc.firewall weakness?" (Sep 25,  8:16pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Nate Williams <nate@mt.sri.com>, Don Lewis <Don.Lewis@tsc.tdk.com>
Subject: Re: rc.firewall weakness?
Cc: Chris Stenton <jacs@gnome.co.uk>, security@freebsd.org
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Sep 25,  8:16pm, Nate Williams wrote:
} Subject: Re: rc.firewall weakness?
} > You've got it, which is why I only permit UDP 53<->53 and 123<->123.
} 
} How do you do that?  You must not be using IPFW, since it really doesn't
} allow the ability to permit <port>-<port>.

I'm using cisco access lists, but can't you do this with IPFW like this:

    # Allow DNS queries out in the world
    /sbin/ipfw add pass udp from any 53 to ${oip} 53
    /sbin/ipfw add pass udp from ${oip} 53 to any 53

In most cases you don't gain much by filtering on the port number
of packets from an untrusted source (and the above rule doesn't allow
other hosts to send queries from ports other than 53), so can't you do:

    /sbin/ipfw add pass udp from any to ${oip} 53
    /sbin/ipfw add pass udp from ${oip} 53 to any