From owner-freebsd-security  Sun Feb 25 13:13:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sasami.jurai.net (sasami.jurai.net [64.0.106.45])
	by hub.freebsd.org (Postfix) with ESMTP id 69D9437B401
	for <freebsd-security@FreeBSD.ORG>; Sun, 25 Feb 2001 13:13:41 -0800 (PST)
	(envelope-from scanner@jurai.net)
Received: from localhost (scanner@localhost)
	by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id QAA67054;
	Sun, 25 Feb 2001 16:12:45 -0500 (EST)
Date: Sun, 25 Feb 2001 16:12:45 -0500 (EST)
From: <scanner@jurai.net>
To: sthaug@nethelp.no
Cc: marcr@closed-networks.com, freebsd-security@FreeBSD.ORG
Subject: Re: /etc/rc.firewall fixes
In-Reply-To: <67798.983133792@verdi.nethelp.no>
Message-ID: <Pine.BSF.4.21.0102251551230.66763-100000@sasami.jurai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 25 Feb 2001 sthaug@nethelp.no wrote:

> You punch a hole in the firewall for the port(s) in question and for a
> limited amount of time (say 30 seconds). Useful to allow for instance
> DNS queries from clients on the inside.

	Right filtering ports. Thats not quite the same as filtering on
the state of a connection.

> Yes, of course you are somewhat vulnerable while you have this hole in
> the firewall. However, it's probably better than having everything wide
> open, while also being more *useful* than having all UDP closed.

	Very true. And I have done this for DNS. And you are right when
weighing the pro's/con's of full time UDP 53 and doing limited lifetime
expires of clients doing udp dns communications. This might be a good
modification to the existing default firewall rules. Assuming it breaks
nothing. Although you would still need to add a rule for TCP with dns. But
that you can filter by state and allow only established connections from
the clients.

=============================================================================
-Chris Watson         (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek 
Work:              scanner@jurai.net | Open Systems Inc., Wellington, Kansas
Home:  scanner@deceptively.shady.org | http://open-systems.net
=============================================================================
WINDOWS: "Where do you want to go today?"
LINUX: "Where do you want to go tommorow?"
BSD: "Are you guys coming or what?"
=============================================================================
irc.openprojects.net #FreeBSD -Join the revolution!
ICQ: 20016186


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message