Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 21 Jul 1998 14:24:51 +0200
From:      Johann Visagie <wjv@cityip.co.za>
To:        Philippe Regnauld <regnauld@deepo.prosa.dk>
Cc:        security@FreeBSD.ORG
Subject:   Re: ipfw & icmp question
Message-ID:  <19980721142451.A4361@cityip.co.za>
In-Reply-To: <19980530234807.14632@deepo.prosa.dk>; from Philippe Regnauld on Sat, May 30, 1998 at 11:48:08PM %2B0200
References:  <19980530234807.14632@deepo.prosa.dk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, 30 May 1998 at 23:48 SAT, Philippe Regnauld wrote:
> 
> I am a bit puzzled regarding the following situation:
> 
> I have a machine with IPFW setup to send "port unreachable" if
> a connection attempt is made on port 113/TCP (identd).  The policy
> is default deny.  Here is what happens when I do "telnet host 113"

Sorry, can't help you with that one.  I just allow queries to 113/tcp and
make sure there's nothing running on the port.  *shrug*

> PS: in the /etc/rc.firewall (2.2.6 still), one rule says
> for the "Simple firewall setup":
> 
>  # Allow DNS queries out in the world
>  /sbin/ipfw add pass udp from any 53 to ${oip}
>  /sbin/ipfw add pass udp from ${oip} to any 53
> 
> This is a but confusing -- from reading the rules, I understand:
> 
> "Allow DNS queries, from out in the world, to us", while
> the formulation above says "Allow DNS queries from inside/here
> out into the world".

Nope, your resolver library will originate the query on an arbitrary port
greater than 1023, and connect to 53/udp on the remote nameserver.  The
remote nameserver returns the replay from its port 53 to your arbitrary port.
The above rules allows _your_ host to query a remote host, as the comment
indicates.  To enable it the other way round:

  /sbin/ipfw add pass udp from ${oip} 53 to any
  /sbin/ipfw add pass udp from any to ${oip} 53

However, it may not be necessary to add the above rules, since most resolver
libraries will try to query via TCP if UDP failes, i.e. you can simply add:

  /sbin/ipfw add pass tcp from any to ${oip} 53 setup

(Assuming you allow already established connections by default elsewhere.)

-- V

Johann Visagie | Email: wjv@CityIP.co.za | Tel: +27 21 419-7878

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980721142451.A4361>