Date: Sun, 1 Jun 1997 23:56:13 -0400 From: Harlan Stenn <Harlan.Stenn@pfcs.com> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: conf/3750: Potential improvements to rc.firewall Message-ID: <E0wYOE9-0000kR-00@brown.pfcs.com> Resent-Message-ID: <199706020400.VAA24167@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 3750
>Category: conf
>Synopsis: Potential improvements to rc.firewall
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jun 1 21:00:01 PDT 1997
>Last-Modified:
>Originator: Harlan Stenn
>Organization:
PFCS Corporation
>Release: FreeBSD 2.1.0-RELEASE i386
>Environment:
-current (probably earlier releases, too)
>Description:
I think some of the rules are too loose.
>How-To-Repeat:
Examination.
>Fix:
(I also sent this to -hackers)
--- rc.firewall- Sun Jun 1 21:23:06 1997
+++ rc.firewall Sun Jun 1 21:29:11 1997
@@ -87,11 +87,11 @@
/sbin/ipfw add deny tcp from any to any setup
# Allow DNS queries out in the world
- /sbin/ipfw add pass udp from any 53 to ${ip}
+ /sbin/ipfw add pass udp from any to ${ip} 53
/sbin/ipfw add pass udp from ${ip} to any 53
# Allow NTP queries out in the world
- /sbin/ipfw add pass udp from any 123 to ${ip}
+ /sbin/ipfw add pass udp from any to ${ip} 123
/sbin/ipfw add pass udp from ${ip} to any 123
# Everything else is denied as default.
@@ -144,11 +144,11 @@
/sbin/ipfw add pass tcp from any to any setup
# Allow DNS queries out in the world
- /sbin/ipfw add pass udp from any 53 to ${oip}
+ /sbin/ipfw add pass udp from any to ${oip} 53
/sbin/ipfw add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
- /sbin/ipfw add pass udp from any 123 to ${oip}
+ /sbin/ipfw add pass udp from any to ${oip} 123
/sbin/ipfw add pass udp from ${oip} to any 123
# Everything else is denied as default.
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0wYOE9-0000kR-00>