Date: Sun, 25 Feb 2001 16:12:45 -0500 (EST) From: <scanner@jurai.net> To: sthaug@nethelp.no Cc: marcr@closed-networks.com, freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes Message-ID: <Pine.BSF.4.21.0102251551230.66763-100000@sasami.jurai.net> In-Reply-To: <67798.983133792@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 25 Feb 2001 sthaug@nethelp.no wrote: > You punch a hole in the firewall for the port(s) in question and for a > limited amount of time (say 30 seconds). Useful to allow for instance > DNS queries from clients on the inside. Right filtering ports. Thats not quite the same as filtering on the state of a connection. > Yes, of course you are somewhat vulnerable while you have this hole in > the firewall. However, it's probably better than having everything wide > open, while also being more *useful* than having all UDP closed. Very true. And I have done this for DNS. And you are right when weighing the pro's/con's of full time UDP 53 and doing limited lifetime expires of clients doing udp dns communications. This might be a good modification to the existing default firewall rules. Assuming it breaks nothing. Although you would still need to add a rule for TCP with dns. But that you can filter by state and allow only established connections from the clients. ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= irc.openprojects.net #FreeBSD -Join the revolution! ICQ: 20016186 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0102251551230.66763-100000>