From owner-freebsd-security Thu Sep 25 23:33:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA12805 for security-outgoing; Thu, 25 Sep 1997 23:33:44 -0700 (PDT) Received: from oskar.nanoteq.co.za (oskar.nanoteq.co.za [163.195.220.170]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA12799 for ; Thu, 25 Sep 1997 23:33:40 -0700 (PDT) Received: (from rbezuide@localhost) by oskar.nanoteq.co.za (8.8.7/8.8.5) id IAA14725; Fri, 26 Sep 1997 08:32:49 +0200 (SAT) From: Reinier Bezuidenhout Message-Id: <199709260632.IAA14725@oskar.nanoteq.co.za> Subject: Re: rc.firewall weakness? In-Reply-To: <199709260609.AAA21538@rocky.mt.sri.com> from Nate Williams at "Sep 26, 97 00:09:07 am" To: nate@mt.sri.com (Nate Williams) Date: Fri, 26 Sep 1997 08:32:49 +0200 (SAT) Cc: danny@panda.hilink.com.au, nate@mt.sri.com, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hi ... > > > > > > You've got it, which is why I only permit UDP 53<->53 and 123<->123. > > > > > > > > What about: > > > > > > > > ipfw add 1000 allow udp from any 53 to 1.2.3.4 53 in > > > > > > It doesn't work that way. ;( > > > > No? My cursory reading of ip_fw.c indicates that it does, but I'm happy > > to be shown otherwise, as I don't consider myself to be a C expert. > > Or are you referring to the fact that you need a more comprehensive > > ruleset to be effective? > > I had a discussion with Alex a while back, and if my memory isn't > failing me this didn't work. I don't know why either, and I haven't > looked at the sources. Perhaps it's been fixed to work, but I haven't > seen anything significant since the discussion. > Aren't we just having an communications gap here ??? ... I thought the 53<->53 just meant a rule like this .. accept udp from any 53 to any 53 Which is possible to configure ... I use it often for routing info to be exchanged ... e.g. accept udp from any 520 to 1.2.3.4 520 in recv ed0 and that works fine .... Reinier