From owner-freebsd-security  Thu Sep 25 23:03:51 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id XAA11187
          for security-outgoing; Thu, 25 Sep 1997 23:03:51 -0700 (PDT)
Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA11171
          for <security@freebsd.org>; Thu, 25 Sep 1997 23:03:45 -0700 (PDT)
Received: (from danny@localhost)
	by panda.hilink.com.au (8.8.5/8.8.5) id QAA16883;
	Fri, 26 Sep 1997 16:03:34 +1000 (EST)
Date: Fri, 26 Sep 1997 16:03:33 +1000 (EST)
From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To: Nate Williams <nate@mt.sri.com>
cc: security@freebsd.org
Subject: Re: rc.firewall weakness?
In-Reply-To: <199709260537.XAA21334@rocky.mt.sri.com>
Message-ID: <Pine.BSF.3.91.970926155959.262T-100000@panda.hilink.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


On Thu, 25 Sep 1997, Nate Williams wrote:

> > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123.
> > > 
> > > How do you do that?  You must not be using IPFW, since it really doesn't
> > > allow the ability to permit <port>-<port>.
> > 
> > What about:
> > 
> > ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in
> 
> It doesn't work that way. ;(

No?  My cursory reading of ip_fw.c indicates that it does, but I'm happy 
to be shown otherwise, as I don't consider myself to be a C expert.
Or are you referring to the fact that you  need a more comprehensive 
ruleset to be effective?

Danny