Date: Fri, 26 Sep 1997 08:32:49 +0200 (SAT) From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za> To: nate@mt.sri.com (Nate Williams) Cc: danny@panda.hilink.com.au, nate@mt.sri.com, security@FreeBSD.ORG Subject: Re: rc.firewall weakness? Message-ID: <199709260632.IAA14725@oskar.nanoteq.co.za> In-Reply-To: <199709260609.AAA21538@rocky.mt.sri.com> from Nate Williams at "Sep 26, 97 00:09:07 am"
index | next in thread | previous in thread | raw e-mail
Hi ... > > > > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. > > > > > > > > What about: > > > > > > > > ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in > > > > > > It doesn't work that way. ;( > > > > No? My cursory reading of ip_fw.c indicates that it does, but I'm happy > > to be shown otherwise, as I don't consider myself to be a C expert. > > Or are you referring to the fact that you need a more comprehensive > > ruleset to be effective? > > I had a discussion with Alex a while back, and if my memory isn't > failing me this didn't work. I don't know why either, and I haven't > looked at the sources. Perhaps it's been fixed to work, but I haven't > seen anything significant since the discussion. > Aren't we just having an communications gap here ??? ... I thought the 53<->53 just meant a rule like this .. accept udp from any 53 to any 53 Which is possible to configure ... I use it often for routing info to be exchanged ... e.g. accept udp from any 520 to 1.2.3.4 520 in recv ed0 and that works fine .... Reinierhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709260632.IAA14725>