Date: Tue, 15 Jan 2002 08:13:16 +0100 From: Rogier Steehouder <r.j.s@gmx.net> To: Chris Appleton <appleton_chris@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw rules Message-ID: <20020115081316.A595@localhost> In-Reply-To: <20020114163918.21575.qmail@web14802.mail.yahoo.com>; from appleton_chris@yahoo.com on Mon, Jan 14, 2002 at 08:39:18AM -0800 References: <20020112131010.B31058@b1n.org> <20020114163918.21575.qmail@web14802.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14-01-2002 08:39 (-0800), Chris Appleton wrote:
> --- BinarySoul <binary@b1n.org> wrote:
> > Dont forget opening 20 (ftp-data) too or ftp wont work.
> >
> > Rogier Steehouder (r.j.s@gmx.net) wrote:
> > > On 11-01-2002 12:05 (-0800), Chris Appleton wrote:
> > > > allow tcp from any 21 to a.b.c.d
> > >
> > > This means allow connections from port 21 on any machine to any
> > port on
> > > a.b.c.d, so you completely opened up your system.
> > >
> > > What you're probably looking for is:
> > >
> > > allow tcp from any to a.b.c.d 21
> > >
> > > Allow any machine to connect to only port 21 on a.b.c.d
>
> in case you can't see it, i'm repeatedly kicking myself in the ass.
> hallelujah it's alive.
> i did get a stern warning about this and maybe you know if i'm exposed:
> (this is a 4.4-r bridge)
> allow ip from any a.b.c.d/24 to any
> allow tcp from any to any established
> allow udp from any 53 to any
> allow tcp from any to a.b.c.d/24 21
>
> (apart from needing 20 for data) is the 'established' rule creating a
> big hole considering the 21 request in is essentially an established
> connection. is there something i can do to keep the benefit of not
> having 2 rules for every port like established does?
The established rule does not create a big hole. In fact because of it
you can still surf the web for example. Imagine you making a
web-request. Then you send out a setup-packet to some web server -
allowed by rule 1. It responds and tries to send you data - allowed by
rule 2 since the connection already exists. Without the established
rule, answers would not come through. This behaviour is not a security
risk since packets that claim to be from an existing connection, but are
not, are dropped anyway.
With kind regards, Rogier Steehouder
--
___ _
-O_\ //
| / Rogier Steehouder //\
/ \ r.j.s@gmx.net // \
<---------------------- 25m ---------------------->
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020115081316.A595>