Date: Thu, 15 Feb 2001 11:30:12 +0000 From: Adam Laurie <adam@algroup.co.uk> To: Joseph Stein <joes@joescanner.com> Cc: freebsd-security@freebsd.org Subject: Re: ipfw rules Message-ID: <3A8BBDC4.D9CE6E4D@algroup.co.uk> References: <Pine.WNT.4.31.0102140008440.1164-100000@hood>
next in thread | previous in thread | raw e-mail | index | archive | help
Joseph Stein wrote:
>
> I'm looking for some peer-review to a firewall ruleset I've written based
> on the O'Reilly book "Building Internet Firewalls" and the "default"
> rc.firewall script
>
> Here it is. I would gladly accept any comments; this is merely what
> "works" on my system; if it breaks some paradigm, I'd like to hear about
> why (please mail me privately, and I'll summarize if there is enough
> interest).
>
> I do have one specific question....
>
> The last 20 or so lines are there specifically to allow ICQ to work
> properly (I couldn't get ICQ to work succesfully with out them). Any
> ideas on how to eliminate some of that mess?
>
> Any other ideas?
don't have time to read this thoroughly, but here's an old favourite...
>
> # Allow access to DNS
> ${fwcmd} add pass tcp from any to ${oip} 53 setup
> ${fwcmd} add pass udp from any to ${oip} 53
> ${fwcmd} add pass udp from ${oip} 53 to any
> ${fwcmd} add pass udp from any 53 to ${oip}
^^^^^^
by setting my source port to 53, i can connect from anywhere to any udp
service on your ${oip}. e.g. NFS, syslog, whatever. this would be bad -
you should never filter based on source port.
cheers,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
Voysey House http://www.thebunker.net
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A8BBDC4.D9CE6E4D>