From owner-freebsd-security  Thu Feb 15  3:32: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hub.freebsd.org (Postfix) with ESMTP id 8D29D37B491
	for <freebsd-security@freebsd.org>; Thu, 15 Feb 2001 03:31:53 -0800 (PST)
Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id LAA02877; Thu, 15 Feb 2001 11:30:23 GMT
Message-ID: <3A8BBDC4.D9CE6E4D@algroup.co.uk>
Date: Thu, 15 Feb 2001 11:30:12 +0000
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Joseph Stein <joes@joescanner.com>
Cc: freebsd-security@freebsd.org
Subject: Re: ipfw rules
References: <Pine.WNT.4.31.0102140008440.1164-100000@hood>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Joseph Stein wrote:
> 
> I'm looking for some peer-review to a firewall ruleset I've written based
> on the O'Reilly book "Building Internet Firewalls" and the "default"
> rc.firewall script
> 
> Here it is.  I would gladly accept any comments;  this is merely what
> "works" on my system; if it breaks some paradigm, I'd like to hear about
> why (please mail me privately, and I'll summarize if there is enough
> interest).
> 
> I do have one specific question....
> 
> The last 20 or so lines are there specifically to allow ICQ to work
> properly (I couldn't get ICQ to work succesfully with out them).  Any
> ideas on how to eliminate some of that mess?
> 
> Any other ideas?

don't have time to read this thoroughly, but here's an old favourite...

> 
> # Allow access to DNS
> ${fwcmd} add pass tcp from any to ${oip} 53 setup
> ${fwcmd} add pass udp from any to ${oip} 53
> ${fwcmd} add pass udp from ${oip} 53 to any
> ${fwcmd} add pass udp from any 53 to ${oip}
                             ^^^^^^

by setting my source port to 53, i can connect from anywhere to any udp
service on your ${oip}. e.g. NFS, syslog, whatever. this would be bad -
you should never filter based on source port.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
Voysey House                  http://www.thebunker.net
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message