From owner-freebsd-security Thu Feb 15 3:32: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 8D29D37B491 for ; Thu, 15 Feb 2001 03:31:53 -0800 (PST) Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id LAA02877; Thu, 15 Feb 2001 11:30:23 GMT Message-ID: <3A8BBDC4.D9CE6E4D@algroup.co.uk> Date: Thu, 15 Feb 2001 11:30:12 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Joseph Stein Cc: freebsd-security@freebsd.org Subject: Re: ipfw rules References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Joseph Stein wrote: > > I'm looking for some peer-review to a firewall ruleset I've written based > on the O'Reilly book "Building Internet Firewalls" and the "default" > rc.firewall script > > Here it is. I would gladly accept any comments; this is merely what > "works" on my system; if it breaks some paradigm, I'd like to hear about > why (please mail me privately, and I'll summarize if there is enough > interest). > > I do have one specific question.... > > The last 20 or so lines are there specifically to allow ICQ to work > properly (I couldn't get ICQ to work succesfully with out them). Any > ideas on how to eliminate some of that mess? > > Any other ideas? don't have time to read this thoroughly, but here's an old favourite... > > # Allow access to DNS > ${fwcmd} add pass tcp from any to ${oip} 53 setup > ${fwcmd} add pass udp from any to ${oip} 53 > ${fwcmd} add pass udp from ${oip} 53 to any > ${fwcmd} add pass udp from any 53 to ${oip} ^^^^^^ by setting my source port to 53, i can connect from anywhere to any udp service on your ${oip}. e.g. NFS, syslog, whatever. this would be bad - you should never filter based on source port. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message