From owner-freebsd-security  Sun Feb 25 12:43:17 2001
Delivered-To: freebsd-security@freebsd.org
Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162])
	by hub.freebsd.org (Postfix) with SMTP id 893DB37B401
	for <freebsd-security@FreeBSD.ORG>; Sun, 25 Feb 2001 12:43:14 -0800 (PST)
	(envelope-from sthaug@nethelp.no)
Received: (qmail 67800 invoked by uid 1001); 25 Feb 2001 20:43:12 +0000 (GMT)
To: scanner@jurai.net
Cc: marcr@closed-networks.com, freebsd-security@FreeBSD.ORG
Subject: Re: /etc/rc.firewall fixes
From: sthaug@nethelp.no
In-Reply-To: Your message of "Sun, 25 Feb 2001 15:33:28 -0500 (EST)"
References: <Pine.BSF.4.21.0102251529170.66378-100000@sasami.jurai.net>
X-Mailer: Mew version 1.05+ on Emacs 19.34.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Sun, 25 Feb 2001 21:43:12 +0100
Message-ID: <67798.983133792@verdi.nethelp.no>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> 	And UDP is stateless. I would be itnerested to know how you filter
> state with UDP. ;)

You punch a hole in the firewall for the port(s) in question and for a
limited amount of time (say 30 seconds). Useful to allow for instance
DNS queries from clients on the inside.

Yes, of course you are somewhat vulnerable while you have this hole in
the firewall. However, it's probably better than having everything wide
open, while also being more *useful* than having all UDP closed.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message