From owner-freebsd-questions@FreeBSD.ORG  Tue Dec  9 07:49:40 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B5A2716A4CE
	for <freebsd-questions@freebsd.org>;
	Tue,  9 Dec 2003 07:49:40 -0800 (PST)
Received: from mindfields.energyhq.es.eu.org
	(73.Red-213-97-200.pooles.rima-tde.net [213.97.200.73])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 46A3C43D21
	for <freebsd-questions@freebsd.org>;
	Tue,  9 Dec 2003 07:49:38 -0800 (PST)
	(envelope-from flynn@energyhq.es.eu.org)
Received: from scienide (scienide.energyhq.es.eu.org [192.168.100.1])
	by mindfields.energyhq.es.eu.org (Postfix) with SMTP
	id 3F60B358D0; Tue,  9 Dec 2003 16:49:35 +0100 (CET)
Date: Tue, 9 Dec 2003 16:50:45 +0100
From: Miguel Mendez <flynn@energyhq.es.eu.org>
To: <chael@southgate.ph.inter.net>
Message-Id: <20031209165045.35e42b3a.flynn@energyhq.es.eu.org>
In-Reply-To: <001601c3be38$a9333fa0$fe01a8c0@JMICH>
References: <20031209093254.GA366@profi.kharkov.ua>
	<001601c3be38$a9333fa0$fe01a8c0@JMICH>
Organization: 
X-Mailer: Sylpheed version 0.9.5-gtk2-20030906 (GTK+ 2.2.4; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: freebsd-questions@freebsd.org
Subject: Re: ipfw keep-state (ASAP anwser need)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Dec 2003 15:49:40 -0000

./chael@southgate.ph.inter.net wrote:

> ${fwcmd} add allow udp from any 1024-65535,53 to any 53
> ${fwcmd} add allow udp from any 53 to any 1024-65535

That ruleset is a really bad idea. Imagine the following scenario: You
run a vulnerable service (bind, sendmail, you name it), Joe Haxor
launches a exploit against that service and creates a bindshell on port
1337. Now all he has to do is use port 53 as source and automagically
trespasses your firewall settings. Always use *stateful* firewalling,
and never allow anything not strictly necessary. Btw, zone transfers use
TCP, so you'd have to allow that as well.

Cheers,
-- 
	Miguel Mendez <flynn@energyhq.es.eu.org>
	http://www.energyhq.es.eu.org
	PGP Key: 0xDC8514F1