Date: Thu, 14 Jan 1999 23:00:41 +1300 (NZDT) From: Andrew McNaughton <andrew@squiz.co.nz> To: "Jan B. Koum " <jkb@best.com> Cc: "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU>, Patrick Barmentlo <pbm@gateway.barmentlo.net>, security@FreeBSD.ORG Subject: Re: examples rules ipfw Message-ID: <Pine.BSF.4.05.9901142255490.329-100000@aniwa.sky> In-Reply-To: <19990112042358.C303@best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 12 Jan 1999, Jan B. Koum wrote: > > add 00501 allow tcp from any to smarter 1024-65535 > > > > This allows all traffic to ports 1024 through 65535 (to let FTP work > > correctly) > > > This is not good! There are way MANY evil things running on ports > greater then 1024. Take X windows (6000), take nfsd (2049). Most of > the insecure solaris rpc crap runs in that range. This list could > go on forever. Depending on what you are shielding of course. If you are only shielding a single host, or a small number, it may be possible to comprehensively list the ports you need to be careful of (eg netstat -a). > You would be much better off using passive ftp (ftp -p) then opening > up all those holes into your network. I connect to specific hosts which disallow passive ftp, so I don't use this approach. I'd be curious to know how common this is? Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9901142255490.329-100000>