From owner-freebsd-hackers Mon Jun 2 00:40:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA04915 for hackers-outgoing; Mon, 2 Jun 1997 00:40:32 -0700 (PDT) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA04910 for ; Mon, 2 Jun 1997 00:40:26 -0700 (PDT) Received: (from eivind@localhost) by bitbox.follo.net (8.7.6/8.7.3) id JAA18950; Mon, 2 Jun 1997 09:39:56 +0200 (MET DST) Date: Mon, 2 Jun 1997 09:39:56 +0200 (MET DST) Message-Id: <199706020739.JAA18950@bitbox.follo.net> From: Eivind Eklund To: Harlan Stenn CC: hackers@FreeBSD.ORG In-reply-to: Harlan Stenn's message of Sun, 01 Jun 1997 23:21:26 -0300 Subject: Re: Improvements to rc.firewall? References: <1883.865221686@mumps.pfcs.com> Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > These diffs are against the rc.firewall in -current. > > I believe the existing rules say: > > allow anybody from the outside who sends from port 53 or 123 to > send UDP packets to anyplace on our net > > If this is true, we should tighten it up ro only permit outsiders to > reach *our* DNS and NTP ports with UDP. > > These diffs *are intended* do the job... > > Would somebody please review these and, if appropriate, commit the > changes? As far as I can tell, they're wrong. Don't they deny DNS-responses? The original seems to be correct. (Patch reproduced below) --- rc.firewall- Sun Jun 1 21:23:06 1997 +++ rc.firewall Sun Jun 1 21:29:11 1997 @@ -87,11 +87,11 @@ /sbin/ipfw add deny tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${ip} + /sbin/ipfw add pass udp from any to ${ip} 53 /sbin/ipfw add pass udp from ${ip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${ip} + /sbin/ipfw add pass udp from any to ${ip} 123 /sbin/ipfw add pass udp from ${ip} to any 123 # Everything else is denied as default. @@ -144,11 +144,11 @@ /sbin/ipfw add pass tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${oip} + /sbin/ipfw add pass udp from any to ${oip} 53 /sbin/ipfw add pass udp from ${oip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${oip} + /sbin/ipfw add pass udp from any to ${oip} 123 /sbin/ipfw add pass udp from ${oip} to any 123 # Everything else is denied as default. Eivind.