From owner-freebsd-security  Thu Sep 25 22:38:13 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id WAA09695
          for security-outgoing; Thu, 25 Sep 1997 22:38:13 -0700 (PDT)
Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA09690
          for <security@freebsd.org>; Thu, 25 Sep 1997 22:38:08 -0700 (PDT)
Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id XAA15200;
	Thu, 25 Sep 1997 23:37:43 -0600 (MDT)
Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id XAA21334; Thu, 25 Sep 1997 23:37:40 -0600 (MDT)
Date: Thu, 25 Sep 1997 23:37:40 -0600 (MDT)
Message-Id: <199709260537.XAA21334@rocky.mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
Cc: Nate Williams <nate@mt.sri.com>, Don Lewis <Don.Lewis@tsc.tdk.com>,
        security@freebsd.org
Subject: Re: rc.firewall weakness?
In-Reply-To: <Pine.BSF.3.91.970926131247.262Q@panda.hilink.com.au>
References: <199709260216.UAA20908@rocky.mt.sri.com>
	<Pine.BSF.3.91.970926131247.262Q@panda.hilink.com.au>
X-Mailer: VM 6.29 under 19.15 XEmacs Lucid
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> > > You've got it, which is why I only permit UDP 53<->53 and 123<->123.
> > 
> > How do you do that?  You must not be using IPFW, since it really doesn't
> > allow the ability to permit <port>-<port>.
> 
> What about:
> 
> ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in

It doesn't work that way. ;(


Nate