From owner-freebsd-hackers Sun Jun 1 20:22:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA22426 for hackers-outgoing; Sun, 1 Jun 1997 20:22:26 -0700 (PDT) Received: from pcpsj.pfcs.com (qy89C29atxrhW2y1ynNZMcp4ykxFi7/Z@harlan.fred.net [205.252.219.31]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id UAA22420 for ; Sun, 1 Jun 1997 20:22:18 -0700 (PDT) Received: from mumps.pfcs.com (mumps.pfcs.com [192.52.69.11]) by pcpsj.pfcs.com (8.6.12/8.6.9) with SMTP id XAA00294 for ; Sun, 1 Jun 1997 23:21:28 -0400 Received: from localhost by mumps.pfcs.com with SMTP id AA01885 (5.67b/IDA-1.5 for ); Sun, 1 Jun 1997 23:21:27 -0400 To: hackers@freebsd.org Subject: Improvements to rc.firewall? Date: Sun, 01 Jun 1997 23:21:26 -0300 Message-Id: <1883.865221686@mumps.pfcs.com> From: Harlan Stenn Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk These diffs are against the rc.firewall in -current. I believe the existing rules say: allow anybody from the outside who sends from port 53 or 123 to send UDP packets to anyplace on our net If this is true, we should tighten it up ro only permit outsiders to reach *our* DNS and NTP ports with UDP. These diffs *are intended* do the job... Would somebody please review these and, if appropriate, commit the changes? Thanks... H --- rc.firewall- Sun Jun 1 21:23:06 1997 +++ rc.firewall Sun Jun 1 21:29:11 1997 @@ -87,11 +87,11 @@ /sbin/ipfw add deny tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${ip} + /sbin/ipfw add pass udp from any to ${ip} 53 /sbin/ipfw add pass udp from ${ip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${ip} + /sbin/ipfw add pass udp from any to ${ip} 123 /sbin/ipfw add pass udp from ${ip} to any 123 # Everything else is denied as default. @@ -144,11 +144,11 @@ /sbin/ipfw add pass tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${oip} + /sbin/ipfw add pass udp from any to ${oip} 53 /sbin/ipfw add pass udp from ${oip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${oip} + /sbin/ipfw add pass udp from any to ${oip} 123 /sbin/ipfw add pass udp from ${oip} to any 123 # Everything else is denied as default.