From owner-freebsd-security Thu Sep 25 23:09:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA11405 for security-outgoing; Thu, 25 Sep 1997 23:09:19 -0700 (PDT) Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA11398 for ; Thu, 25 Sep 1997 23:09:16 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id AAA15430; Fri, 26 Sep 1997 00:09:09 -0600 (MDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id AAA21538; Fri, 26 Sep 1997 00:09:07 -0600 (MDT) Date: Fri, 26 Sep 1997 00:09:07 -0600 (MDT) Message-Id: <199709260609.AAA21538@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Daniel O'Callaghan" Cc: Nate Williams , security@freebsd.org Subject: Re: rc.firewall weakness? In-Reply-To: References: <199709260537.XAA21334@rocky.mt.sri.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. > > > > > > What about: > > > > > > ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in > > > > It doesn't work that way. ;( > > No? My cursory reading of ip_fw.c indicates that it does, but I'm happy > to be shown otherwise, as I don't consider myself to be a C expert. > Or are you referring to the fact that you need a more comprehensive > ruleset to be effective? I had a discussion with Alex a while back, and if my memory isn't failing me this didn't work. I don't know why either, and I haven't looked at the sources. Perhaps it's been fixed to work, but I haven't seen anything significant since the discussion. Nate