Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 2 Jun 1997 09:39:56 +0200 (MET DST)
From:      Eivind Eklund <perhaps@yes.no>
To:        Harlan Stenn <Harlan.Stenn@pfcs.com>
Cc:        hackers@FreeBSD.ORG
Subject:   Re: Improvements to rc.firewall?
Message-ID:  <199706020739.JAA18950@bitbox.follo.net>
In-Reply-To: Harlan Stenn's message of Sun, 01 Jun 1997 23:21:26 -0300
References:  <1883.865221686@mumps.pfcs.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> 
> These diffs are against the rc.firewall in -current.
> 
> I believe the existing rules say:
> 
> 	allow anybody from the outside who sends from port 53 or 123 to
> 	send UDP packets to anyplace on our net
> 
> If this is true, we should tighten it up ro only permit outsiders to
> reach *our* DNS and NTP ports with UDP.
> 
> These diffs *are intended* do the job...
> 
> Would somebody please review these and, if appropriate, commit the
> changes?

As far as I can tell, they're wrong.  Don't they deny DNS-responses?
The original seems to be correct.


(Patch reproduced below)
--- rc.firewall-	Sun Jun  1 21:23:06 1997
+++ rc.firewall	Sun Jun  1 21:29:11 1997
@@ -87,11 +87,11 @@
     /sbin/ipfw add deny tcp from any to any setup
 
     # Allow DNS queries out in the world
-    /sbin/ipfw add pass udp from any 53 to ${ip}
+    /sbin/ipfw add pass udp from any to ${ip} 53
     /sbin/ipfw add pass udp from ${ip} to any 53
 
     # Allow NTP queries out in the world
-    /sbin/ipfw add pass udp from any 123 to ${ip}
+    /sbin/ipfw add pass udp from any to ${ip} 123
     /sbin/ipfw add pass udp from ${ip} to any 123
 
     # Everything else is denied as default.
@@ -144,11 +144,11 @@
     /sbin/ipfw add pass tcp from any to any setup
 
     # Allow DNS queries out in the world
-    /sbin/ipfw add pass udp from any 53 to ${oip}
+    /sbin/ipfw add pass udp from any to ${oip} 53
     /sbin/ipfw add pass udp from ${oip} to any 53
 
     # Allow NTP queries out in the world
-    /sbin/ipfw add pass udp from any 123 to ${oip}
+    /sbin/ipfw add pass udp from any to ${oip} 123
     /sbin/ipfw add pass udp from ${oip} to any 123
 
     # Everything else is denied as default.

Eivind.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706020739.JAA18950>