From owner-cvs-all  Tue Feb 20 11:54:34 2001
Delivered-To: cvs-all@freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id C2E6B37B65D; Tue, 20 Feb 2001 11:54:31 -0800 (PST)
	(envelope-from nsayer@FreeBSD.org)
Received: (from nsayer@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f1KJsV934620;
	Tue, 20 Feb 2001 11:54:31 -0800 (PST)
	(envelope-from nsayer)
Message-Id: <200102201954.f1KJsV934620@freefall.freebsd.org>
From: Nick Sayer <nsayer@FreeBSD.org>
Date: Tue, 20 Feb 2001 11:54:31 -0800 (PST)
To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: cvs commit: src/etc rc.firewall
X-FreeBSD-CVS-Branch: HEAD
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

nsayer      2001/02/20 11:54:31 PST

  Modified files:
    etc                  rc.firewall 
  Log:
  Fix some glaring insecurities in the prototype firewall configurations.
  
  pass udp from any 53 to ${oip}
  
  allows an attacker to access ANY local port by simply binding his local
  side to 53. The state keeping mechanism is the correct way to allow DNS
  replies to go back to their source.
  
  Revision  Changes    Path
  1.39      +5 -9      src/etc/rc.firewall


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message