Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 12 Jan 1999 04:23:58 -0800
From:      "Jan B. Koum " <jkb@best.com>
To:        "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU>, Patrick Barmentlo <pbm@gateway.barmentlo.net>
Cc:        security@FreeBSD.ORG
Subject:   Re: examples rules ipfw
Message-ID:  <19990112042358.C303@best.com>
In-Reply-To: <Pine.BSF.4.05.9901111442510.854-100000@smarter.than.nu>; from Brian W. Buchanan on Mon, Jan 11, 1999 at 02:56:44PM -0800
References:  <Pine.BSF.4.05.9901112327400.305-100000@gateway.barmentlo.net> <Pine.BSF.4.05.9901111442510.854-100000@smarter.than.nu>

next in thread | previous in thread | raw e-mail | index | archive | help
[redirect from -hackers to -security]

On Mon, Jan 11, 1999 at 02:56:44PM -0800, "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU> wrote:
> On Mon, 11 Jan 1999, Patrick Barmentlo wrote:
> 
> > Can someone please point me out to some good examples for the rc.firewall
> > file (ipfw )??
> > (with most variant of opties/features...)
> > 
> > i have to set up some filtering, but still having some difficulties with
> > it after checking freebsd.org....
> 
> 
> add 00501 allow tcp from any to smarter 1024-65535
> 
>  This allows all traffic to ports 1024 through 65535 (to let FTP work
> correctly)


	This is not good! There are way MANY evil things running on ports
	greater then 1024. Take X windows (6000), take nfsd (2049). Most of
	the insecure solaris rpc crap runs in that range. This list could
	go on forever.

	You would be much better off using passive ftp (ftp -p) then opening
	up all those holes into your network. 

	Just MHO.

-- Yan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990112042358.C303>