From owner-freebsd-hackers  Sun Jun  1 22:21:09 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id WAA27536
          for hackers-outgoing; Sun, 1 Jun 1997 22:21:09 -0700 (PDT)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA27531
          for <hackers@FreeBSD.ORG>; Sun, 1 Jun 1997 22:21:07 -0700 (PDT)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id WAA12656;
	Sun, 1 Jun 1997 22:20:16 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpd012654; Mon Jun  2 05:20:15 1997
Date: Sun, 1 Jun 1997 22:19:29 -0700 (PDT)
From: Julian Elischer <julian@current1.whistle.com>
To: Harlan Stenn <Harlan.Stenn@pfcs.com>
cc: hackers@FreeBSD.ORG
Subject: Re: Improvements to rc.firewall?
In-Reply-To: <1883.865221686@mumps.pfcs.com>
Message-ID: <Pine.BSF.3.95.970601221741.23764A-100000@current1.whistle.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk



On Sun, 1 Jun 1997, Harlan Stenn wrote:

> These diffs are against the rc.firewall in -current.
> 
> I believe the existing rules say:
> 
> 	allow anybody from the outside who sends from port 53 or 123 to
> 	send UDP packets to anyplace on our net
> 
> If this is true, we should tighten it up ro only permit outsiders to
> reach *our* DNS and NTP ports with UDP.
> 
> These diffs *are intended* do the job...
> 

[snip]


check out the new ipfw options too.
(in -current right now but being tested in 2.2.2 as we speak)

julian