Date: Sun, 01 Jun 1997 23:21:26 -0300 From: Harlan Stenn <Harlan.Stenn@pfcs.com> To: hackers@freebsd.org Subject: Improvements to rc.firewall? Message-ID: <1883.865221686@mumps.pfcs.com>
next in thread | raw e-mail | index | archive | help
These diffs are against the rc.firewall in -current.
I believe the existing rules say:
allow anybody from the outside who sends from port 53 or 123 to
send UDP packets to anyplace on our net
If this is true, we should tighten it up ro only permit outsiders to
reach *our* DNS and NTP ports with UDP.
These diffs *are intended* do the job...
Would somebody please review these and, if appropriate, commit the
changes?
Thanks...
H
--- rc.firewall- Sun Jun 1 21:23:06 1997
+++ rc.firewall Sun Jun 1 21:29:11 1997
@@ -87,11 +87,11 @@
/sbin/ipfw add deny tcp from any to any setup
# Allow DNS queries out in the world
- /sbin/ipfw add pass udp from any 53 to ${ip}
+ /sbin/ipfw add pass udp from any to ${ip} 53
/sbin/ipfw add pass udp from ${ip} to any 53
# Allow NTP queries out in the world
- /sbin/ipfw add pass udp from any 123 to ${ip}
+ /sbin/ipfw add pass udp from any to ${ip} 123
/sbin/ipfw add pass udp from ${ip} to any 123
# Everything else is denied as default.
@@ -144,11 +144,11 @@
/sbin/ipfw add pass tcp from any to any setup
# Allow DNS queries out in the world
- /sbin/ipfw add pass udp from any 53 to ${oip}
+ /sbin/ipfw add pass udp from any to ${oip} 53
/sbin/ipfw add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
- /sbin/ipfw add pass udp from any 123 to ${oip}
+ /sbin/ipfw add pass udp from any to ${oip} 123
/sbin/ipfw add pass udp from ${oip} to any 123
# Everything else is denied as default.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1883.865221686>