Date: Fri, 26 Sep 1997 00:09:07 -0600 (MDT) From: Nate Williams <nate@mt.sri.com> To: "Daniel O'Callaghan" <danny@panda.hilink.com.au> Cc: Nate Williams <nate@mt.sri.com>, security@freebsd.org Subject: Re: rc.firewall weakness? Message-ID: <199709260609.AAA21538@rocky.mt.sri.com> In-Reply-To: <Pine.BSF.3.91.970926155959.262T-100000@panda.hilink.com.au> References: <199709260537.XAA21334@rocky.mt.sri.com> <Pine.BSF.3.91.970926155959.262T-100000@panda.hilink.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. > > > > > > What about: > > > > > > ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in > > > > It doesn't work that way. ;( > > No? My cursory reading of ip_fw.c indicates that it does, but I'm happy > to be shown otherwise, as I don't consider myself to be a C expert. > Or are you referring to the fact that you need a more comprehensive > ruleset to be effective? I had a discussion with Alex a while back, and if my memory isn't failing me this didn't work. I don't know why either, and I haven't looked at the sources. Perhaps it's been fixed to work, but I haven't seen anything significant since the discussion. Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709260609.AAA21538>