Date: Thu, 15 Feb 2001 11:30:12 +0000 From: Adam Laurie <adam@algroup.co.uk> To: Joseph Stein <joes@joescanner.com> Cc: freebsd-security@freebsd.org Subject: Re: ipfw rules Message-ID: <3A8BBDC4.D9CE6E4D@algroup.co.uk> References: <Pine.WNT.4.31.0102140008440.1164-100000@hood>
next in thread | previous in thread | raw e-mail | index | archive | help
Joseph Stein wrote: > > I'm looking for some peer-review to a firewall ruleset I've written based > on the O'Reilly book "Building Internet Firewalls" and the "default" > rc.firewall script > > Here it is. I would gladly accept any comments; this is merely what > "works" on my system; if it breaks some paradigm, I'd like to hear about > why (please mail me privately, and I'll summarize if there is enough > interest). > > I do have one specific question.... > > The last 20 or so lines are there specifically to allow ICQ to work > properly (I couldn't get ICQ to work succesfully with out them). Any > ideas on how to eliminate some of that mess? > > Any other ideas? don't have time to read this thoroughly, but here's an old favourite... > > # Allow access to DNS > ${fwcmd} add pass tcp from any to ${oip} 53 setup > ${fwcmd} add pass udp from any to ${oip} 53 > ${fwcmd} add pass udp from ${oip} 53 to any > ${fwcmd} add pass udp from any 53 to ${oip} ^^^^^^ by setting my source port to 53, i can connect from anywhere to any udp service on your ${oip}. e.g. NFS, syslog, whatever. this would be bad - you should never filter based on source port. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A8BBDC4.D9CE6E4D>