Date: Tue, 9 Dec 2003 16:50:45 +0100 From: Miguel Mendez <flynn@energyhq.es.eu.org> To: <chael@southgate.ph.inter.net> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw keep-state (ASAP anwser need) Message-ID: <20031209165045.35e42b3a.flynn@energyhq.es.eu.org> In-Reply-To: <001601c3be38$a9333fa0$fe01a8c0@JMICH> References: <20031209093254.GA366@profi.kharkov.ua> <001601c3be38$a9333fa0$fe01a8c0@JMICH>
next in thread | previous in thread | raw e-mail | index | archive | help
./chael@southgate.ph.inter.net wrote:
> ${fwcmd} add allow udp from any 1024-65535,53 to any 53
> ${fwcmd} add allow udp from any 53 to any 1024-65535
That ruleset is a really bad idea. Imagine the following scenario: You
run a vulnerable service (bind, sendmail, you name it), Joe Haxor
launches a exploit against that service and creates a bindshell on port
1337. Now all he has to do is use port 53 as source and automagically
trespasses your firewall settings. Always use *stateful* firewalling,
and never allow anything not strictly necessary. Btw, zone transfers use
TCP, so you'd have to allow that as well.
Cheers,
--
Miguel Mendez <flynn@energyhq.es.eu.org>
http://www.energyhq.es.eu.org
PGP Key: 0xDC8514F1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031209165045.35e42b3a.flynn>