Date: Thu, 25 Sep 1997 19:39:50 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Nate Williams <nate@mt.sri.com>, Don Lewis <Don.Lewis@tsc.tdk.com> Cc: Chris Stenton <jacs@gnome.co.uk>, security@freebsd.org Subject: Re: rc.firewall weakness? Message-ID: <199709260239.TAA19427@salsa.gv.tsc.tdk.com> In-Reply-To: Nate Williams <nate@mt.sri.com> "Re: rc.firewall weakness?" (Sep 25, 8:16pm)
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 25, 8:16pm, Nate Williams wrote:
} Subject: Re: rc.firewall weakness?
} > You've got it, which is why I only permit UDP 53<->53 and 123<->123.
}
} How do you do that? You must not be using IPFW, since it really doesn't
} allow the ability to permit <port>-<port>.
I'm using cisco access lists, but can't you do this with IPFW like this:
# Allow DNS queries out in the world
/sbin/ipfw add pass udp from any 53 to ${oip} 53
/sbin/ipfw add pass udp from ${oip} 53 to any 53
In most cases you don't gain much by filtering on the port number
of packets from an untrusted source (and the above rule doesn't allow
other hosts to send queries from ports other than 53), so can't you do:
/sbin/ipfw add pass udp from any to ${oip} 53
/sbin/ipfw add pass udp from ${oip} 53 to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709260239.TAA19427>