From owner-freebsd-security  Tue Jan 12 04:24:56 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA11395
          for freebsd-security-outgoing; Tue, 12 Jan 1999 04:24:56 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA11390
          for <security@freebsd.org>; Tue, 12 Jan 1999 04:24:55 -0800 (PST)
          (envelope-from jkb@shell6.ba.best.com)
Received: (from jkb@localhost)
	by shell6.ba.best.com (8.9.1/8.9.0/best.sh) id EAA01790;
	Tue, 12 Jan 1999 04:23:58 -0800 (PST)
Message-ID: <19990112042358.C303@best.com>
Date: Tue, 12 Jan 1999 04:23:58 -0800
From: "Jan B. Koum " <jkb@best.com>
To: "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU>,
        Patrick Barmentlo <pbm@gateway.barmentlo.net>
Cc: security@FreeBSD.ORG
Subject: Re: examples rules ipfw
References: <Pine.BSF.4.05.9901112327400.305-100000@gateway.barmentlo.net> <Pine.BSF.4.05.9901111442510.854-100000@smarter.than.nu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <Pine.BSF.4.05.9901111442510.854-100000@smarter.than.nu>; from Brian W. Buchanan on Mon, Jan 11, 1999 at 02:56:44PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

[redirect from -hackers to -security]

On Mon, Jan 11, 1999 at 02:56:44PM -0800, "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU> wrote:
> On Mon, 11 Jan 1999, Patrick Barmentlo wrote:
> 
> > Can someone please point me out to some good examples for the rc.firewall
> > file (ipfw )??
> > (with most variant of opties/features...)
> > 
> > i have to set up some filtering, but still having some difficulties with
> > it after checking freebsd.org....
> 
> 
> add 00501 allow tcp from any to smarter 1024-65535
> 
>  This allows all traffic to ports 1024 through 65535 (to let FTP work
> correctly)


	This is not good! There are way MANY evil things running on ports
	greater then 1024. Take X windows (6000), take nfsd (2049). Most of
	the insecure solaris rpc crap runs in that range. This list could
	go on forever.

	You would be much better off using passive ftp (ftp -p) then opening
	up all those holes into your network. 

	Just MHO.

-- Yan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message